Config generated by custom eBGP Overlay Policies does not get updated

[marehler]

Ansible Version

ansible [core 2.16.3]

Ansible Collection Versions

Collection         Version
------------------ -------
ansible.netcommon  7.1.0  
ansible.posix      2.0.0  
ansible.utils      5.1.2  
cisco.dcnm         3.10.0 
cisco.nac_dc_vxlan 0.6.0  
cisco.nxos         9.4.0  
community.general  10.1.0

Cisco Nexus Dashboard Version

3.2(1i)

Cisco NX-OS Version

10.5(4)

Which role is this issue related to?

cisco.nac_dc_vxlan.dtc.create

Which section of the data model is this issue related to?

vxlan.policy

Expected Behavior

My customer has created custom 'ebgp_overlay_spine_all_neighbor_custom' and 'ebgp_overlay_leaf_all_neighbor_custom' policies as described in the Spine Switch Overlay Policies and Leaf Switch Overlay Policies data model section. Changed BGP authentication keys shall get updated.
https://netascode.cisco.com/docs/data_models/vxlan/global/vxlan_evpn_ebgp/

Actual Behavior

NDFC fails to update the config generated by these policies. Fabric settings are correctly updated, but BGP authentication keys in the switch configs are not. The same issue occurs when changing the BGP authentication key via the NDFC GUI.

Ansible Playbook

---
# Main entry point playbook.

- hosts: "{{ lookup('env', 'ANSIBLE_HOST') }}"
  any_errors_fatal: true
  gather_facts: no

  roles:
    - role: cisco.nac_dc_vxlan.dtc.create
    - role: cisco.nac_dc_vxlan.dtc.deploy
    - role: cisco.nac_dc_vxlan.dtc.remove

Data Model

---
vxlan:
  fabric:
    name: VXLAN_MSD
    type: MSD

  multisite:
    child_fabrics:
      - name: VXLAN-CDC-50   
    overlay_dci:
      enable_ebgp_password: True
      ebgp_password: 427d1c22d5c186bd
      ebgp_password_encryption_type: 3 

  policy:
    policies:      
      - name: LEAF_BGP_ASN
        template_name: leaf_bgp_asn
        template_vars:
          BGP_AS: "65000.2"
      - name: SL_BGP_ASN
        template_name: leaf_bgp_asn
        template_vars:
          BGP_AS: "65000.4"
      - name: BGW_BGP_ASN
        template_name: leaf_bgp_asn
        template_vars:
          BGP_AS: "64200.1001"
      - name: ebgp_overlay_spine_all_neighbor_custom
        template_name: ebgp_overlay_spine_all_neighbor_custom
        template_vars:
          LEAF_IP_LIST: "10.64.16.13,10.64.16.2,10.64.16.5,10.64.16.12,10.64.16.1,10.64.16.4,10.64.16.3,10.64.16.7,10.64.16.6,10.64.16.9"        
          INTF_NAME: "Loopback0"
          LEAF_ASNS: "64200.22,64200.22,65000.4,65000.4,65000.2,65000.2,65000.2,65000.2,65000.2,65000.2"         
      - name: ebgp_overlay_leaf_all_neighbor_custom
        template_name: ebgp_overlay_leaf_all_neighbor_custom
        template_vars:
          SPINE_IP_LIST: "10.64.16.10,10.64.16.11"      
          INTF_NAME: "Loopback0"

Steps to Reproduce

1. Create custom eBGP overlay policies in NDFC
2. Create and deploy fabric with policies using NaC
3. Change BGP authentication key
4. Run NaC again
5. Verify switch configurations

Relevant Debug Output

[marehler]

As a workaround for the BGP authentication key, you may configure another, non-custom policy using the evpn_bgp_neighbor_auth template to overwrite and update the BGP authentication key. However you would need one policy per BGP neighbor. Example - policies for two spine switches applied to all leaf switches:

---
vxlan:
  policy:
    policies:
      - name: evpn_bgp_neighbor_auth_SPINE1
        template_name: evpn_bgp_neighbor_auth
        template_vars:
          BGP_AS: "65000.2"
          BGP_NEIGHBOR_IP: "10.22.0.4"
          BGP_AUTH_KEY_TYPE: 3
          BGP_AUTH_KEY: "427d1c22d5c186bd"
      - name: evpn_bgp_neighbor_auth_SPINE2
        template_name: evpn_bgp_neighbor_auth
        template_vars:
          BGP_AS: "65000.2"
          BGP_NEIGHBOR_IP: "10.22.0.6"
          BGP_AUTH_KEY_TYPE: 3
          BGP_AUTH_KEY: "427d1c22d5c186bd"

    groups:
      - name: all_leaf
        priority: 500
        policies:
          - name: bgp_as_policy_leaf
          - name: ebgp_overlay_leaf_all_neighbor_custom
          - name: evpn_bgp_neighbor_auth_SPINE1
          - name: evpn_bgp_neighbor_auth_SPINE2

It would be good it this was created by NaC automatically to resolve this issue for affected NDFC versions.

[marehler]

The observed NDFC behavior, also described in CSCwt54000, is expected. NDFC does not update policies created using custom template.

As an alternative approach or workaround, you could update (e.g. change the priority) and save the custom policies to trigger an update of the generated config, and then optionally revert back to the original parameters.