cisco.mso.ndo_macsec_policy module – Manage MACsec Policies on Cisco Nexus Dashboard Orchestrator (NDO).

Note

This module is part of the cisco.mso collection (version 2.10.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.mso. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.mso.ndo_macsec_policy.

Synopsis

  • Manage MACsec Policies on Cisco Nexus Dashboard Orchestrator (NDO).

  • This module is only supported on ND v3.1 (NDO v4.3) and later.

Requirements

The below requirements are needed on the host that executes this module.

  • Multi Site Orchestrator v2.1 or newer

Parameters

Parameter

Comments

admin_state

string

The administrative state of the MACsec Policy. (Enables or disables the policy)

The default value is enabled.

Choices:

  • "enabled"

  • "disabled"

cipher_suite

string

The cipher suite to be used for encryption.

The default value is 256_gcm_aes_xpn.

Choices:

  • "128_gcm_aes"

  • "128_gcm_aes_xpn"

  • "256_gcm_aes"

  • "256_gcm_aes_xpn"

confidentiality_offset

integer

The confidentiality offset for the MACsec Policy.

The default value is 0.

This parameter is only available for type access.

Choices:

  • 0

  • 30

  • 50

description

string

The description of the MACsec Policy.

host

aliases: hostname

string

IP Address or hostname of the ACI Multi Site Orchestrator host.

If the value is not specified in the task, the value of environment variable MSO_HOST will be used instead.

interface_type

string

The type of the interfaces this policy will be applied to.

Choices:

  • "fabric" ← (default)

  • "access"

key_server_priority

integer

The key server priority for the MACsec Policy.

The value must be between 0 and 255.

The default value 16 for type access.

This parameter is only available for type access.

login_domain

string

The login domain name to use for authentication.

The default value is Local.

If the value is not specified in the task, the value of environment variable MSO_LOGIN_DOMAIN will be used instead.

When using a HTTPAPI connection plugin the inventory variable ansible_httpapi_login_domain will be used if this attribute is not specified.

macsec_keys

list / elements=dictionary

List of the MACsec Keys.

Providing an empty list will remove the macsec_keys from the MACsec Policy.

The old macsec_keys entries will be replaced with the new entries during update.

end_time

string

The end time for the MACsec Key.

The date time format - YYYY-MM-DD HH:MM:SS or ‘infinite’

The default value is infinite.

key_name

string / required

The name of the MACsec Key.

Key Name has to be Hex chars [0-9a-fA-F]

psk

string / required

The Pre-Shared Key (PSK) for the MACsec Key.

PSK has to be 64 chars long if cipher suite is 256_gcm_aes or 256_gcm_aes_xpn.

PSK has to be 32 chars long if cipher suite is 128_gcm_aes or 128_gcm_aes_xpn.

PSK has to be Hex chars [0-9a-fA-F]

start_time

string

The start time for the MACsec Key.

The date time format - YYYY-MM-DD HH:MM:SS or ‘now’

The start time for each key_name should be unique.

The default value is now.

macsec_policy

aliases: name

string

The name of the MACsec Policy.

macsec_policy_uuid

aliases: uuid

string

The UUID of the MACsec Policy.

This parameter is required when the macsec_policy needs to be updated.

output_level

string

Influence the output of this MSO module.

normal means the standard output, incl. current dict

info adds informational output, incl. previous, proposed and sent dicts

debug adds debugging output, incl. filter_string, method, response, status and url information

If the value is not specified in the task, the value of environment variable MSO_OUTPUT_LEVEL will be used instead.

Choices:

  • "debug"

  • "info"

  • "normal" ← (default)

password

string

The password to use for authentication.

If the value is not specified in the task, the value of environment variables MSO_PASSWORD or ANSIBLE_NET_PASSWORD will be used instead.

port

integer

Port number to be used for the REST connection.

The default value depends on parameter `use_ssl`.

If the value is not specified in the task, the value of environment variable MSO_PORT will be used instead.

sak_expiry_time

integer

The expiry time for the Security Association Key (SAK) for the MACsec Policy.

The value must be 0 or between 60 and 2592000.

The default value is 0.

security_policy

string

The security policy to allow traffic on the link for the MACsec Policy.

The default value is should_secure.

Choices:

  • "should_secure"

  • "must_secure"

state

string

Use absent for removing.

Use query for listing an object or multiple objects.

Use present for creating or updating.

Choices:

  • "absent"

  • "query" ← (default)

  • "present"

template

string / required

The name of the template.

The template must be a fabric policy template.

timeout

integer

The socket level timeout in seconds.

The default value is 30 seconds.

If the value is not specified in the task, the value of environment variable MSO_TIMEOUT will be used instead.

use_proxy

boolean

If false, it will not use a proxy, even if one is defined in an environment variable on the target hosts.

If the value is not specified in the task, the value of environment variable MSO_USE_PROXY will be used instead.

The default is true.

Choices:

  • false

  • true

use_ssl

boolean

If false, an HTTP connection will be used instead of the default HTTPS connection.

If the value is not specified in the task, the value of environment variable MSO_USE_SSL will be used instead.

When using a HTTPAPI connection plugin the inventory variable ansible_httpapi_use_ssl will be used if this attribute is not specified.

The default is false when using a HTTPAPI connection plugin (mso or nd) and true when using the legacy connection method (only for mso).

Choices:

  • false

  • true

username

string

The username to use for authentication.

If the value is not specified in the task, the value of environment variables MSO_USERNAME or ANSIBLE_NET_USERNAME will be used instead.

validate_certs

boolean

If false, SSL certificates will not be validated.

This should only set to false when used on personally controlled sites using self-signed certificates.

If the value is not specified in the task, the value of environment variable MSO_VALIDATE_CERTS will be used instead.

The default is true.

Choices:

  • false

  • true

window_size

integer

The window size defines the maximum number of frames that can be received out of order

before a replay attack is detected.

The value must be between 0 and 4294967295.

The default value is 0 for type fabric and 64 for type access.

Notes

Note

  • This module was written to support Multi Site Orchestrator v2.1 or newer. Some or all functionality may not work on earlier versions.

Examples

- name: Create a new MACsec Policy of interface_type fabric
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    macsec_policy: ansible_test_macsec_policy
    description: "Ansible Test MACsec Policy"
    state: present

- name: Create a new MACsec Policy of interface_type access
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    macsec_policy: ansible_test_macsec_policy
    description: "Ansible Test MACsec Policy"
    macsec_keys:
      - key_name: ansible_test_key
        psk: 'AA111111111111111111111111111111111111111111111111111111111111aa'
        start_time: '2029-12-11 11:12:13'
        end_time: 'infinite'
    state: present

- name: Query a MACsec Policy with macsec_policy name
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    macsec_policy: ansible_test_macsec_policy
    state: query
  register: query_one

- name: Query all MACsec Policies
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    state: query
  register: query_all

- name: Query a MACsec Policy with macsec_policy UUID
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    macsec_policy_uuid: ansible_test_macsec_policy_uuid
    state: query
  register: query_uuid

- name: Delete a MACsec Policy with name
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    macsec_policy: ansible_test_macsec_policy
    state: absent

- name: Delete a MACsec Policy with UUID
  cisco.mso.ndo_macsec_policy:
    host: mso_host
    username: admin
    password: SomeSecretPassword
    template: ansible_test_template
    macsec_policy_uuid: ansible_test_macsec_policy_uuid
    state: absent

Authors

  • Anvitha Jain (@anvjain)