Ansible basic commands

Check hosts in the inventory :

ansible@Deb-Master:~/base$ ansible all --list-hosts
   hosts (1):

Get list of modules

ansible@Deb-Master:~/base$ /usr/local/bin/ansible-doc -l | egrep ^(aci|mso)
 [WARNING]: win_template parsing did not produce documentation.
 [WARNING]: template parsing did not produce documentation.
 aci_l3out                                                     Manage Layer 3 Outside (L3Out) objects (l3ext:Out)
 aci_interface_policy_cdp                                      Manage CDP interface policies (cdp:IfPol)
 aci_maintenance_group_node                                    Manage maintenance group nodes
 mso_site                                                      Manage sites
 aci_intf_policy_fc                                            Manage Fibre Channel interface policies (fc:IfPol)
 aci_filter_entry                                              Manage filter entries (vz:Entry)
 mso_schema_site_vrf                                           Manage site-local VRFs in schema template
 mso_schema_site_anp_epg_staticleaf                            Manage site-local EPG static leafs in schema template
 aci_intf_policy_port_channel                                  Manage port channel interface policies (lacp:LagPol)
 mso_schema_template_filter_entry                              Manage filter entries in schema templates
 aci_aaa_user_certificate                                      Manage AAA user certificates (aaa:UserCert)
 aci_switch_policy_leaf_profile                                Manage switch policy leaf profiles (infra:NodeP)
 aci_interface_policy_lldp                                     Manage LLDP interface policies (lldp:IfPol)
 mso_schema_template_externalepg                               Manage external EPGs in schema templates
 aci_tenant_span_src_group                                     Manage SPAN source groups (span:SrcGrp)
 aci_access_port_block_to_access_port                          Manage port blocks of Fabric interface policy leaf profile interface selectors (infra:HPortS, infra:PortBlk)
 aci_epg_to_contract                                           Bind EPGs to Contracts (fv:RsCons, fv:RsProv)
 aci_access_port_to_interface_policy_leaf_profile              Manage Fabric interface policy leaf profile interface selectors (infra:HPortS, infra:RsAccBaseGrp, infra:PortBlk)
 aci_firmware_source                                           Manage firmware image sources (firmware:OSource)
 aci_tenant_action_rule_profile                                Manage action rule profiles (rtctrl:AttrP)

The documentation for a specific module

ansible@Deb-Master:~/base$ /usr/local/bin/ansible-doc  aci_tenant
   ACI_TENANT (/usr/local/lib/python2.7/dist-packages/ansible/modules/network/aci/ 
    Manage tenants on Cisco ACI fabrics. 
 This module is maintained by an Ansible Partner
 OPTIONS (= is mandatory):
     The X.509 certificate name attached to the APIC AAA user used for signature-based authentication.
     If a private_key' filename was provided, this defaults to the private_key' basename, without extension.
     If PEM-formatted content was provided for private_key', this defaults to the username' value.
     (Aliases: cert_name)[Default: (null)]
     type: str
     Description for the tenant.
     (Aliases: descr)[Default: (null)]
     type: str 
 = host
         IP Address or hostname of APIC resolvable by Ansible control host.
         (Aliases: hostname)
         type: str
     Influence the output of this ACI module.
      normal' means the standard output, incl. current' dict
      info' adds informational output, incl. previous', proposed' and sent' dicts
     debug' adds debugging output, incl. filter_string', method',response', status' and url' information
     (Choices: debug, info, normal)[Default: normal]
     type: str 

Test network services

This container has been tested with IOS / NXOS and ACI.

Test syslog

You can verify if you receive logs with syslog-ng. This service runs on the default port udp/514.

The configuration on the file /etc/syslog-ng/syslog-ng.conf redirects the external logs to the following file: /var/log/remote-syslog.log

# Extract of syslog-ng.conf

source s_net {
tcp(ip( port(514));
udp(ip( port(514));

log { source(s_net); destination(d_net); };
destination d_net { file(“/var/log/remote-syslog.log”); };

Logs could be see with the following command:

root@89944db0da60:~# tailf /var/log/remote-syslog.log
Apr 15 06:50:51 2019 Apr 15 06:50:48 UTC: %ETHPORT-5-IF_DOWN_CFG_CHANGE: Interface Ethernet1/1 is down(Config change)
Apr 15 06:50:52 2019 Apr 15 06:50:49 UTC: %ETHPORT-5-IF_DOWN_ADMIN_DOWN: Interface Ethernet1/1 is down (Administratively down)
Apr 15 06:50:55 2019 Apr 15 06:50:52 UTC: last message repeated 1 time
Apr 15 11:57:59 %LOG_LOCAL7-4-SYSTEM_MSG [F1186][raised][config-failure][warning][sys/phys-[eth1/35]/fault-F1186] Port configuration failure.                                   Reason: 2                                   Failed Config: l1:PhysIfspeed_failed_flag

Test snmptrap

snmptrapd is used to receive snmptrap. The logs are redirect to the file : /var/log/snmptrapd.log.

The configuration files are the following : /etc/snmp/snmptrapd.conf and /etc/default/snmptrapd.

The community configured is “public”. You can change in the /etc/snmp/snmptrad file or disabled the authentification with ” disableAuthorization yes”


Agent Address:
Agent Hostname: nxos – UDP: []:59353->[]:162
Date: 6:50:57 15-4
Enterprise OID: .
Trap Type: Cold Start
Trap Sub-Type: 0
Community/Infosec Context: TRAP2, SNMP v2c, community nxos
Uptime: 0
Description: Cold Start
PDU Attribute/Value Pair Array:
iso. = Timeticks: (16384794) 1 day, 21:30:47.94
iso. = OID: iso.
iso. = INTEGER: 1
iso. = STRING: “Ethernet1/1”

Agent Address:
Agent Hostname: nxos – UDP: []:59353->[]:162
Date: 6:51:6 15-4
Enterprise OID: .
Trap Type: Cold Start
Trap Sub-Type: 0
Community/Infosec Context: TRAP2, SNMP v2c, community nxos
Uptime: 0
Description: Cold Start
PDU Attribute/Value Pair Array:
iso. = Timeticks: (16385696) 1 day, 21:30:56.96
iso. = OID: iso.
iso. = Timeticks: (16384764) 1 day, 21:30:47.64
iso. = INTEGER: 3

Test tacacs+

tacacs+ is used to verify the Authentication, Authorization and Accounting. The configuration is in the file /etc/tacacs/tac_plus.conf.

We use the following package :

The current configuration is the following:

  • Tacacs Key : cisco1234
  • user : user1 / cisco1234
  • Right: admin

The log files are the following :

  • For accounting : /var/log/tacacs/tac_plus.acct
  • For authentication : /var/log/tac_plus.log

Test radius

We use freeradius with the following files:

  • radiusd.conf
  • clients.conf
  • users

The logs are in the following directory /var/log/freeradius/.

Example for IOS/NXOS and ACI :

user1 Cleartext-Password := “cisco1234”
Service-Type = NAS-Prompt-User,
Cisco-AVPair = “shell:priv-lvl=15”,
Cisco-AVPair += “shell:domains=all/admin/”

Synchronize ntp

This container can be use to verify if your device can synchronize with a ntp server. This container runs a ntp server as stratum 5.

fudge stratum 5

SSH / scp server

You can use this container to upload some file via scp if needed. The daemon is stopped and you need to create you own user.

root@9371dba394dc:~# adduser cisco
 Adding user cisco' ... Adding new groupcisco' (1001) …
 Adding new user cisco' (1001) with groupcisco' …
 Creating home directory /home/cisco' ... Copying files from/etc/skel' …
 New password:
 Retype new password:
 passwd: password updated successfully
 Changing the user information for cisco
 Enter the new value, or press ENTER for the default
         Full Name []:
         Room Number []:
         Work Phone []:
         Home Phone []:
         Other []:
 Is the information correct? [Y/n] y

root@9371dba394dc:~# /etc/init.d/ssh start
 [ ok ] Starting OpenBSD Secure Shell server: sshd.

The port exposed for ssh is 30022 on the docker-compose.yml file. You can change this port.

Docker-compose file


version: "3"
     build: .
     image: zednetwork/network-test
      - "30022:22/tcp"
      - "123:123/udp"
      - "49:49/tcp"
      - "162:162/udp"
      - "514:514/udp"
      - "1812:1812/udp"
      - "1813:1813/udp"
     tty: true
     stdin_open: true

To download the container :
docker pull zednetwork/network-test:latest

To enter in the container :

docker exec -it <container_ID> /bin/bash

Cisco DHCP with client-identifier 27 bytes

How configure the good value for a DHCP reservation with a client-identifier 27 bytes?

R1 will be the dhcp server with a DHCP POOL SERVER3. The client MAC Address will be : aacf.a2e3.aaff

Configuration ont the client :

 interface Ethernet0/0
 mac-address aacf.a2e3.aaff
 ip address dhcp

The problem here is to find the good value for the client identifier with 27 bytes (vendor-xxxx.xxxx.xxxx-Interface)

The first possibility is to find on the Internet a convertor Hex to ASCII.

The other one is to use the debug information on the client to find the good value with debug dhcp detail command.

Now we will shutting down the interface and no shut to generate a DHCP negotiation.

Now we see the good value here :

Retry count: 1 Client-ID: cisco-aacf.a2e3.aaff-Et0/0
 Client-ID hex dump: 636973636F2D616163662E613265332E

The request is the following in ASCII : Client-ID: cisco-aacf.a2e3.aaff-Et0/0

In Hexadecimal : 636973636F2D616163662E613265332E616166662D4574302F30

Now you just need to configure the DHCP pool on the server and add “00” to the Hexadecimal value like this :

ip dhcp pool SERVER3
 client-identifier 00636973636F2D616163662E613265332E616166662D4574302F30

Now the client can receive the IP address :

*Jul 23 17:44:36.638: DHCP: SRequest attempt # 1 for entry:
*Jul 23 17:44:36.638: Temp IP addr: for peer on Interface: Ethernet0/0
*Jul 23 17:44:36.638: Temp sub net mask:
*Jul 23 17:44:36.638: DHCP Lease server:, state: 4 Requesting
*Jul 23 17:44:36.638: DHCP transaction id: B43
*Jul 23 17:44:36.638: Lease: 86400 secs, Renewal: 0 secs, Rebind: 0 secs
*Jul 23 17:44:36.638: Next timer fires after: 00:00:03
*Jul 23 17:44:36.638: Retry count: 1 Client-ID: cisco-aacf.a2e3.aaff-Et0/0
*Jul 23 17:44:36.638: Client-ID hex dump: 636973636F2D616163662E613265332E
*Jul 23 17:44:36.639: 616166662D4574302F30
*Jul 23 17:44:39.657: DHCP: Releasing ipl options:
*Jul 23 17:44:39.657: DHCP: Applying DHCP options:
*Jul 23 17:44:39.657: DHCP: Sending notification of ASSIGNMENT:
*Jul 23 17:44:39.657: Address mask
*Jul 23 17:44:39.657: DHCP Client Pooling: ***Allocated IP address:
*Jul 23 17:44:39.730: Allocated IP address =
Client(config-if)#do sh ip int brief
 Interface IP-Address OK? Method Status Protocol
 Ethernet0/0 YES DHCP up up

Convert LWAPP to Autonomous AP


Password: <= Cisco

AP4403.xxxx.xxxx#sh ver

Cisco IOS Software, C2600 Software (AP3G2-RCVK9W8-M), Version 15.2(2)JA, RELEASE SOFTWARE (fc1)Technical Support: (c) 1986-2012 by Cisco Systems, Inc.Compiled Thu 23-Aug-12 02:43 by prod_rel_team
ROM: Bootstrap program is C2600 boot loaderBOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M)
LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)
AP4403.a7a0.db3e uptime is 4 minutesSystem returned to ROM by power-onSystem image file is “flash:/ap3g2-rcvk9w8-mx/ap3g2-rcvk9w8-xx”

P4403.xxxx.xxxx#debug capwap console cli
This command is meant only for debugging/troubleshooting
Any configuration change may result in different
behavior from centralized configuration.

CAPWAP console CLI allow/disallow debugging is on

AP4403.a7a0.db3e(config)#ip defa
AP4403.a7a0.db3e(config)#ip default-g
AP4403.a7a0.db3e(config)#ip default-gateway
AP4403.a7a0.db3e(config)#int gi0
Not in Bound state.
*Mar 1 00:06:53.019: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.nt gi0
AP4403.a7a0.db3e(config-if)#int gi0
AP4403.a7a0.db3e(config-if)#int gi0
*Mar 1 00:06:56.023: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Mar 1 00:06:56.091: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address, mask, hostname AP4403.a7a0.db3e

AP4403.a7a0.db3e(config-if)#ip add
AP4403.a7a0.db3e(config-if)#ip address 1
Translating “”…domain server (
*Mar 1 00:07:04.019: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
AP4403.a7a0.db3e(config-if)#ip address 10.0.10
*Mar 1 00:07:07.019: %CAPWAP-3-ERRORLOG: Could Not resolve
AP4403.a7a0.db3e(config-if)#ip address
% overlaps with BVI1
AP4403.a7a0.db3e(config-if)#no sh
*Mar 1 00:07:28.527: %SYS-5-CONFIG_I: Configured from console by console10.0.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

AP4403.a7a0.db3e#archive download-sw /force-reload /overwrite tftp://
examining image…
Loading ap3g2-k9w7-tar.default from (via BVI1): !
extracting info (279 bytes)
Image info:
Version Suffix: k9w7-.153-3.JC
Image Name: ap3g2-k9w7-mx.153-3.JC
Version Directory: ap3g2-k9w7-mx.153-3.JC
Ios Image Size: 10322432
Total Image Size: 13384192
Image Feature: WIRELESS LAN
Image Family: AP3G2
Wireless Switch Management Version:
Extracting files…
ap3g2-k9w7-mx.153-3.JC/ (directory) 0 (bytes)
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-mx.153-3.JC (215867 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-tx.153-3.JC (73 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-bl-2600 (190140 bytes)!
extracting ap3g2-k9w7-mx.153-3.JC/ap3g2-bl-3600 (189183 bytes)!
ap3g2-k9w7-mx.153-3.JC/html/ (directory) 0 (bytes)
ap3g2-k9w7-mx.153-3.JC/html/level/ (directory) 0 (bytes)
ap3g2-k9w7-mx.153-3.JC/html/level/1/ (directory) 0 (bytes)

extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/appsui.js (563 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/back.shtml (512 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/cookies.js (5032 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/html/level/1/forms.js (20442 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/HA5.bin (2049 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/B2.bin (10512 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/B5.bin (1995 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/Y2.bin (7008 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/Y5.bin (1555 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/8006.img (568619 bytes)!!!
extracting ap3g2-k9w7-mx.153-3.JC/triggerfish.jed (0 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/uart_firmware_upgrade.bin (18239 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/MCU.bin (8799 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/info (279 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/file_hashes (36832 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/final_hash (141 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/final_hash.sig (513 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/img_sign_rel.cert (1375 bytes)
extracting ap3g2-k9w7-mx.153-3.JC/img_sign_rel_sha2.cert (1371 bytes)
extracting info.ver (279 bytes)
[OK – 13434880 bytes]

Deleting current version: flash:/ap3g2-rcvk9w8-mx…done.
New software image installed in flash:/ap3g2-k9w7-mx.153-3.JC
Writing out the event log to flash:/event.log …
guring system to use new image…done.
Requested system reload in progress…
archive download: takes 220 seconds

Write of event.log done

*Mar 1 00:13:17.647: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Reason unspecified.
*Mar 1 00:13:17.647: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
IOS Bootloader – Starting system.
flash is writable
FLASH CHIP: Numonyx Mirrorbit (0089)
Xmodem file system is available.
flashfs[0]: 237 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 13329408
flashfs[0]: Bytes available: 18668544
flashfs[0]: flashfs fsck took 16 seconds.
Reading cookie from SEEPROM
Base Ethernet MAC address: 44:03:a7:a0:db:3e
Ethernet speed is 1000 Mb – FULL Duplex
Loading “flash:/ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-mx.153-3.JC”…#########################

File “flash:/ap3g2-k9w7-mx.153-3.JC/ap3g2-k9w7-mx.153-3.JC” uncompressed and installed, entry point: 0x2003000

Secondary Bootloader – Starting system.
Tide MB – 32MB of flash
Xmodem file system is available.
flashfs[0]: 237 files, 8 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 31997952
flashfs[0]: Bytes used: 13329408
flashfs[0]: Bytes available: 18668544
flashfs[0]: flashfs fsck took 8 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 1 seconds.
Base Ethernet MAC address: 44:03:a7:a0:db:3e

From TFTP Server :
May 5 19:53:52 srv1 in.tftpd[5529]: connect from (
May 5 19:53:52 srv1 atftpd[5529]: Advanced Trivial FTP server started (0.7)
May 5 19:53:52 srv1 atftpd[5529]: Serving ap3g2-k9w7-tar.default to
May 5 19:53:52 srv1 atftpd[5529]: Serving ap3g2-k9w7-tar.default to
May 5 19:54:11 srv1 atftpd[5529]: timeout: retrying…
May 5 19:55:08 srv1 atftpd[5529]: timeout: retrying…


How upgrade a module C3Kx-SM10G

First download on Cisco web site the tarball associate to your version.

Example :

# sh version | i System image
System image file is "flash:/c3750e-universalk9-mz.152-1.E3.bin"

Upload the tarball on your flash or upgrade directly by ftp. Here, we use this file : c3kx-sm10g-tar.152-1.E3.tar

After use this command :

switch#archive download-sw /leave-old-sw flash:/c3kx-sm10g-tar.152-1.E3.tar
examining image...
extracting info (99 bytes)
extracting c3kx-sm10g-mz.152-1.E3/info (501 bytes)
extracting info (99 bytes)
Stacking Version Number: 1.51
System Type: 0x00010002
 Ios Image File Size: 0x017AEA00
 Total Image File Size: 0x017AEA00
 Minimum Dram required: 0x08000000
 Image Suffix: sm10g-152-1.E3
 Image Directory: c3kx-sm10g-mz.152-1.E3
 Image Name: c3kx-sm10g-mz.152-1.E3.bin
 Image Feature: IP|LAYER_3|MIN_DRAM_MEG=128
 FRU Module Version: 03.05.03.IND3
Updating FRU Module on switch 2...
All software images installed.

Reload your switch and your module will be ok.