cisco.dnac.sda_fabric_sites_zones_workflow_manager module – Manage fabric site(s)/zone(s) and update the authentication profile template in Cisco Catalyst Center.
Note
This module is part of the cisco.dnac collection (version 6.31.3).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.dnac.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cisco.dnac.sda_fabric_sites_zones_workflow_manager.
New in cisco.dnac 6.17.0
Synopsis
Creating fabric site(s) for the SDA operation in Cisco Catalyst Center.
Updating fabric site(s) for the SDA operation in Cisco Catalyst Center.
Creating fabric zone(s) for the SDA operation in Cisco Catalyst Center.
Updating fabric zone(s) for the SDA operation in Cisco Catalyst Center.
Deletes fabric site(s) from Cisco Catalyst Center.
Deletes fabric zone(s) from Cisco Catalyst Center.
Configure the authentication profile template for fabric site/zone in Cisco Catalyst Center.
Requirements
The below requirements are needed on the host that executes this module.
dnacentersdk >= 2.9.2
python >= 3.9
Parameters
Parameter |
Comments |
|---|---|
A list containing detailed configurations for creating, updating, or deleting fabric sites or zones in a Software-Defined Access (SDA) environment. It also includes specifications for updating the authentication profile template for these sites. Each element in the list represents a specific operation to be performed on the SDA infrastructure, such as the addition, modification, or removal of fabric sites/zones, and modifications to authentication profiles. |
|
A dictionary containing detailed configurations for managing REST Endpoints that will receive Audit log and Events from the Cisco Catalyst Center Platform. This dictionary is essential for specifying attributes and parameters required for the lifecycle management of fabric sites, zones, and associated authentication profiles. |
|
Modifying an IP address pool used in a fabric causes the fabric to become outdated. An update is required to apply the IP address pool changes to the devices in the fabric site. The reconfiguration time depends on the number of devices. During an upgrade, any pending fabric updates are captured as pending fabric events and applied to the respective site. By default, this is set to False. Choices:
|
|
The authentication profile applied to the specified fabric. This profile determines the security posture and controls for network access within the site. Possible values include ‘Closed Authentication’, ‘Low Impact’, ‘No Authentication’, and ‘Open Authentication’. This setting is critical when creating or updating a fabric site or updating the authentication profile template. |
|
Specifies the type of site to be managed within the SDA environment. The acceptable values are ‘fabric_site’ and ‘fabric_zone’. The default value is ‘fabric_site’, indicating the configuration of a broader network area, whereas ‘fabric_zone’ typically refers to a more specific segment within the site. |
|
A boolean flag that indicates whether the pub/sub mechanism is enabled for control nodes in the fabric site. This feature is relevant only when creating or updating fabric sites, not fabric zones. When set to True, pub/sub facilitates more efficient communication and control within the site. The default is True for fabric sites, and this setting is not applicable for fabric zones. Choices:
|
|
This name uniquely identifies the site for operations such as creating, updating, or deleting fabric sites or zones, as well as for updating the authentication profile template. This parameter is mandatory for any fabric site/zone management operation. |
|
A dictionary containing the specific details required to update the authentication profile template associated with the fabric site. This includes advanced settings that fine-tune the authentication process and security controls within the site. |
|
Specifies the primary method of authentication for the site. The available methods are ‘dot1x’ (IEEE 802.1X) and ‘mac’ (MAC-based authentication). This setting determines the order in which authentication mechanisms are attempted. |
|
The timeout duration, in seconds, for falling back from 802.1X authentication. This value must be within the range of 3 to 120 seconds. It defines the period a device waits before attempting an alternative authentication method if 802.1X fails. |
|
A boolean setting that enables or disables BPDU Guard. BPDU Guard provides a security mechanism by disabling a port when a BPDU (Bridge Protocol Data Unit) is received, protecting against potential network loops. This setting defaults to true and is applicable only when the authentication profile is set to “Closed Authentication”. Choices:
|
|
Specifies the number of hosts allowed per port. The available options are ‘Single’ for one device per port or ‘Unlimited’ for multiple devices. This setting helps in controlling the network access and maintaining security. |
|
Defines the Pre-Authentication Access Control List (ACL), which is applicable only when the ‘authentication_profile’ is set to “Low Impact.” This profile allows limited network access before authentication, and the ACL controls which traffic is allowed or blocked during this phase. It is not used with other profiles, as they typically block all traffic until authentication is complete. |
|
A list of rules that specify how traffic is handled based on defined conditions. Each rule determines whether traffic is permitted or denied based on the contract parameters. If the ‘access_contracts’ is not provided or is set to null, the system will fall back on its default traffic handling settings. Additionally, up to 3 access control rules can be defined at a time. |
|
The action to apply when traffic matches the rule. The allowed actions are ‘PERMIT’ (allow the traffic) and ‘DENY’ (block the traffic). |
|
Specifies the symbolic port name to which the ACL rule applies. The allowed values are ‘domain’ (DNS), ‘bootpc’ (Bootstrap Protocol Client), and ‘bootps’ (Bootstrap Protocol Server). Each port name can only be used once in the Access Contract list. |
|
The protocol that defines the type of traffic to be filtered by the access contract rule. The allowed protocols are ‘UDP’, ‘TCP’, and ‘TCP_UDP’. However, ‘TCP’ and ‘TCP_UDP’ are only allowed when the contract port is set to ‘domain’. |
|
A brief text description of the Pre-Authentication ACL, outlining its purpose or providing relevant notes for administrators. |
|
A boolean value indicating whether the Pre-Authentication ACL is enabled. When set to ‘true’, the ACL rules are enforced to control traffic before authentication. Choices:
|
|
Specifies the default action for traffic that does not match any explicit ACL rules. Common actions include ‘PERMIT’ to allow unmatched traffic or ‘DENY’ to block it. Implicit behaviour unless overridden (defaults to “DENY”). Default: |
|
A boolean value indicating whether the Wake-on-LAN feature is enabled. Wake-on-LAN allows the network to remotely wake up devices that are in a low-power state. Choices:
|
|
Set to True to verify the Cisco Catalyst Center configuration after applying the playbook configuration. Choices:
|
|
Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged. Default: |
|
Indicates whether debugging is enabled in the Cisco Catalyst Center SDK. Choices:
|
|
The hostname of the Cisco Catalyst Center. |
|
Flag to enable/disable playbook execution logging. When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name. When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name ‘dnac.log’. When false, - Logging is disabled. If the log file doesn’t exist, - It is created in append or write mode based on the “dnac_log_append” flag. If the log file exists, - It is overwritten or appended based on the “dnac_log_append” flag. Choices:
|
|
Determines the mode of the file. Set to True for ‘append’ mode. Set to False for ‘write’ mode. Choices:
|
|
Governs logging. Logs are recorded if dnac_log is True. If path is not specified, - When ‘dnac_log_append’ is True, ‘dnac.log’ is generated in the current Ansible directory; logs are appended. - When ‘dnac_log_append’ is False, ‘dnac.log’ is generated; logs are overwritten. If path is specified, - When ‘dnac_log_append’ is True, the file opens in append mode. - When ‘dnac_log_append’ is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True. Default: |
|
Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG]. CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages. ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages. WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages. INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages. DEBUG provides detailed diagnostic info. Displays all log messages. Default: |
|
The password for authentication at the Cisco Catalyst Center. |
|
Specifies the port number associated with the Cisco Catalyst Center. Default: |
|
Specifies the interval in seconds between successive calls to the API to retrieve task details. Default: |
|
The username for authentication at the Cisco Catalyst Center. Default: |
|
Flag to enable or disable SSL certificate verification. Choices:
|
|
Specifies the version of the Cisco Catalyst Center that the SDK should use. Default: |
|
The desired state of Cisco Catalyst Center after the module execution. Choices:
|
|
Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema. Choices:
|
Notes
Note
To ensure the module operates correctly for scaled sets, which involve creating or updating fabric sites/zones and handling the updation of authentication profile template, please provide valid input in the playbook. If any failure is encountered, the module will and halt execution without proceeding to further operations.
When deleting fabric sites, make sure to provide the input to remove the fabric zones associated with them in the playbook. Fabric sites cannot be deleted until all underlying fabric zones have been removed and it can be any order as per the module design fabric zones will be deleted first followed by fabric sites.
Reconfiguration of fabric pending events is supported starting from version 2.3.7.9 onwards. Additionally, the authentication profile for the ‘Low Impact’ profile now allows more customization of its parameters
Parameter ‘site_name’ is updated to ‘site_name_hierarchy’.
SDK Method used are ccc_fabric_sites.FabricSitesZones.get_site ccc_fabric_sites.FabricSitesZones.get_fabric_sites ccc_fabric_sites.FabricSitesZones.get_fabric_zones ccc_fabric_sites.FabricSitesZones.add_fabric_site ccc_fabric_sites.FabricSitesZones.update_fabric_site ccc_fabric_sites.FabricSitesZones.add_fabric_zone ccc_fabric_sites.FabricSitesZones.update_fabric_zone ccc_fabric_sites.FabricSitesZones.get_authentication_profiles ccc_fabric_sites.FabricSitesZones.update_authentication_profile ccc_fabric_sites.FabricSitesZones.delete_fabric_site_by_id ccc_fabric_sites.FabricSitesZones.delete_fabric_zone_by_id
Does not support
check_modeThe plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK
The parameters starting with dnac_ are used by the Cisco Catalyst Center Python SDK to establish the connection
Examples
- name: Create a fabric site for SDA with the specified name.
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1"
authentication_profile: "Closed Authentication"
is_pub_sub_enabled: false
- name: Update a fabric site for SDA with the specified name.
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1"
authentication_profile: "Open Authentication"
- name: Update a fabric zone for SDA with the specified name.
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1/Floor1"
fabric_type: "fabric_zone"
authentication_profile: "Closed Authentication"
- name: Update fabric zone for sda with given name.
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1/Floor1"
fabric_type: "fabric_zone"
authentication_profile: "Open Authentication"
- name: Apply all the pending sda fabric events to the given site.
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1"
authentication_profile: "Open Authentication"
apply_pending_events: true
- name: Set up Pre-Authentication ACL for Low Impact Profile
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1"
fabric_type: "fabric_zone"
authentication_profile: "Low Impact"
is_pub_sub_enabled: false
update_authentication_profile:
authentication_order: "dot1x"
dot1x_fallback_timeout: 28
wake_on_lan: false
number_of_hosts: "Single"
pre_auth_acl:
enabled: true
implicit_action: "PERMIT"
description: "low auth profile description"
access_contracts:
- action: "PERMIT"
protocol: "UDP"
port: "bootps"
- action: "PERMIT"
protocol: "UDP"
port: "bootpc"
- action: "PERMIT"
protocol: "UDP"
port: "domain"
- name: Update/customise authentication profile template for fabric site/zone.
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: merged
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1"
fabric_type: "fabric_zone"
authentication_profile: "Open Authentication"
is_pub_sub_enabled: false
update_authentication_profile:
authentication_order: "dot1x"
dot1x_fallback_timeout: 28
wake_on_lan: false
number_of_hosts: "Single"
- name: Deleting/removing fabric site from sda from Cisco Catalyst Center
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: deleted
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1"
- name: Deleting/removing fabric zone from sda from Cisco Catalyst Center
cisco.dnac.sda_fabric_sites_zones_workflow_manager:
dnac_host: "{{dnac_host}}"
dnac_username: "{{dnac_username}}"
dnac_password: "{{dnac_password}}"
dnac_verify: "{{dnac_verify}}"
dnac_port: "{{dnac_port}}"
dnac_version: "{{dnac_version}}"
dnac_debug: "{{dnac_debug}}"
dnac_log_level: "{{dnac_log_level}}"
dnac_log: false
state: deleted
config:
- fabric_sites:
- site_name_hierarchy: "Global/Test_SDA/Bld1/Floor1"
fabric_type: "fabric_zone"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
A dictionary or list with the response returned by the Cisco Catalyst Center Python SDK Returned: always Sample: |