The cisco.nxos.nxos_vrf module does not support sub-interfaces for the "interfaces" parameter.

[dwebr]

SUMMARY

We are trying to use the cisco.nxos.nxos_vrf module along with the aggregate parameter and a list of interfaces for each VRF to assign the interfaces to the appropriate VRF.

The module works fine as long as the interface is not a sub-interface, for example Ethernet1/1.3901. When a sub-interface is listed in the aggregate.interfaces list, the module attempts to issue "no switchport" which is invalid on a sub-interface.

ISSUE TYPE

• Bug Report

COMPONENT NAME

cisco.nxos.nxos_vrf module using the aggregate parameter along with a list of interfaces.

ANSIBLE VERSION

ansible [core 2.14.0]
  config file = /opt/netadmin/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/netadmin/ve/ansible7/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/netadmin/ve/ansible7/bin/ansible
  python version = 3.9.15 (main, Oct 22 2022, 11:54:42) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] (/opt/netadmin/ve/ansible7/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

ansible-galaxy collection list cisco.nxos

# /home/user/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.nxos 6.0.0

# /opt/netadmin/ve/ansible7/lib/python3.9/site-packages/ansible_collections
Collection Version
---------- -------
cisco.nxos 4.0.0

CONFIGURATION

COLOR_ERROR(/opt/netadmin/ansible/ansible.cfg) = bright red
COLOR_VERBOSE(/opt/netadmin/ansible/ansible.cfg) = bright blue
CONFIG_FILE() = /opt/netadmin/ansible/ansible.cfg
DEFAULT_HOST_LIST(/opt/netadmin/ansible/ansible.cfg) = ['/opt/netadmin/ansible/inventory']
DEFAULT_TIMEOUT(/opt/netadmin/ansible/ansible.cfg) = 5
DISPLAY_SKIPPED_HOSTS(/opt/netadmin/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/opt/netadmin/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/opt/netadmin/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Switch

Software
  BIOS: version 07.69
  NXOS: version 10.2(6) [Maintenance Release]
  BIOS compile time:  04/07/2021
  NXOS image file is: bootflash:///nxos64-cs.10.2.6.M.bin
  NXOS compile time:  8/31/2023 12:00:00 [08/29/2023 21:07:36]

Hardware
  cisco Nexus9000 C93180YC-EX chassis
  Intel(R) Xeon(R) CPU  @ 1.80GHz with 24617888 kB of memory.
  Processor Board ID FDO23210NB1
  Device name: SIM-ACI
  bootflash:   11906048 kB

Control Node

Red Hat Enterprise Linux Server release 7.9 (Maipo)

STEPS TO REPRODUCE

host_vars

vrfs: "{{ pair_vrfs }}"

pair_vrfs:
  - name: PK8
    description: PK8_VRF
    admin_state: up
  - name: PRD
    description: PRD_VRF
    admin_state: up
  - name: SHS
    description: SHS_VRF
    admin_state: up

pair_vrf_interfaces:
  - name: SHS
    interfaces:
      - Ethernet1/1.3901
      - Ethernet1/2.3901
  - name: PRD
    interfaces:
      - Ethernet1/1.3902
      - Ethernet1/2.3902

role tasks

- name: NXOS (vrf)
  block:
    - name: Config Block
      block:  
        - name: NXOS - Assign Interfaces to VRFs
          cisco.nxos.nxos_vrf:
            aggregate: "{{ vrf_interface_list }}"
          register: vrf_results

EXPECTED RESULTS

I would expect each interface (physical, logical) that has sub-interfaces to be properly configured with a vrf member statement. For example:

interface Ethernet1/1.3901
  description SHS VRF v3901
  encapsulation dot1q 3901
  vrf member SHS
  ip address 10.92.130.61/30
  no shutdown

It appears that there is no distinction given between a standard Ethernet1/x interface and a sub-interface. This is likely to be a problem with sub-interfaces that have a parent of a port-channel interface.

If appears that line 332 (among others) of the source file https://github.com/ansible-collections/cisco.nxos/blob/main/plugins/modules/nxos_vrf.py
does a check to see if the interface is of type ethernet or port-channel and then appends the command "no switchport" if true.

                        if get_interface_type(i) in (
                            "ethernet",
                            "portchannel",
                        ):
                            commands.append("no switchport")

It does not look like the module utility get_interface_type() distinguishes between the physical interface and the sub-interface. A possible solution to this specific issue, might be to add an additional check to see if the Ethernet or Port-channel interface is a sub-interface by checking the length of the interface after splitting on a period '.'

                        if get_interface_type(i) in (
                            "ethernet",
                            "portchannel",
                        ) **and len(i.split('.')) < 2** :
                            commands.append("no switchport")

ACTUAL RESULTS

TASK [interfaces : NXOS - Assign Interfaces to VRFs] ****************************************************************************************************************************************************************************************
task path: /home/user/repos/eveng-labs/roles/interfaces/tasks/nxos_interfaces.yml:43
The full traceback is:
  File "/home/user/.ansible/collections/ansible_collections/cisco/nxos/plugins/module_utils/network/nxos/nxos.py", line 143, in load_config
    resp = connection.edit_config(config, replace=replace)
  File "/opt/netadmin/ve/ansible7/lib/python3.9/site-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [SIM-ACI]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "admin_state": "up",
            "aggregate": [
                {
                    "admin_state": "up",
                    "associated_interfaces": null,
                    "delay": 10,
                    "description": null,
                    "interfaces": [
                        "Ethernet1/1.3901",
                        "Ethernet1/2.3901"
                    ],
                    "name": "SHS",
                    "rd": null,
                    "state": "present",
                    "vni": null
                },
                {
                    "admin_state": "up",
                    "associated_interfaces": null,
                    "delay": 10,
                    "description": null,
                    "interfaces": [
                        "Ethernet1/1.3902",
                        "Ethernet1/2.3902"
                    ],
                    "name": "PRD",
                    "rd": null,
                    "state": "present",
                    "vni": null
                }
            ],
            "associated_interfaces": null,
            "delay": 10,
            "description": null,
            "interfaces": null,
            "name": null,
            "purge": false,
            "rd": null,
            "state": "present",
            "vni": null
        }
    },
    "msg": "no switchport\r\r\n                                ^\r\n% Invalid command at '^' marker.\r\n\rSIM-ACI(config-subif)# "
}