Ansible Network Automation – Cisco IOS

This post will give a quick overview of setting up your Ansible deployment to be able to use Ansible IOS network modules, these modules can be put together to build a playbook that can be used in an initial switch deployment as a base config, or could be setup with variables so jr members of your team can be used to make changes to a switch config.

This post assumes that you have already installed ansible core and have successfully pinged a remote device, such as a Linux server.

First thing we will do is setup our group_vars file to tell Ansible what method of communication to use to talk with our new Cisco IOS host. Let’s create a new file under /group_vars, in my machine the folder is located under /etc/ansible/group_vars.

I will create ios.yml under /etc/ansible/group_vars.

 group_vars]$ touch ios.yml


Now that I have created the file, I’ll edit it so that ansible will know to reference back to this file to understand how to communicate with our IOS host we will add shortly to our hosts.ini file. The file should have the following:


---
ansible_connection: network_cli
ansible_network_os: ios
ansible_user: ## FILL IN USER ##
ansible_ssh_pass: ## FILL IN PASS ##
ansible_become: yes
ansible_become_method: enable
ansible_become_pass: ## FILL IN ENABLE PASS ##

#Note this is not best practice to hard-code credentials in here, but this is just for demonstration purposes. In production you would likely want to use a variable for credentials and/or pair this with ansible-vault, which we will cover later.

Lets run thru a quick breakdown of each of these settings.

ansible_connection : This is the key variable that ansible reads to identify what type of device it will be communicating with. In our case, we will be talking to a Cisco IOS switch, however the same network_cli would be used if you were talking to any other network device, such as a Dell PowerConnect switch, Cisco ASA firewall, PaloAlto device.

ansible_network_os: This variable tells ansible what SPECIFIC network device you are communicating with, in this example we are talking with a Cisco IOS 3850, so when specify the ios it’s telling ansible to use the IOS modules in the next task.

ansible_user: This is the username you would normally type in if you were to SSH to the switch.

ansible_ssh_pass : This is the password you would normally type if you were to SSH to the switch

ansible_become: This tells ansible if you need to escalate to the enable console, you are allowed to

ansible_become_method: This tells ansible what method it should use to elevate to the priv mode

ansible_become_pass: This is the password ansible should use when it attempts to elevate to priv mode


Next let’s throw together a playbook that will use the IOS_banner to set the login banner of the switch.

---
- hosts: all
  vars_files:
    - /etc/ansible/group_vars/ios.yml
  tasks:
    - name: Setting the login banner on switch
      ios_banner:
       banner: login
       text: THIS IS FROM MY ANSIBLE PLAYBOOK
       state: present



This is going to load our previously created ios.yml file that has all the connection variables that are needed when talking to a network device. Then it will use those variables to run the IOS_banner module.


Now, the last thing we need to do is create an IOS inventory file, if you have an existing inventory file you can just make a new [ios] group or you can make a new ios.ini file. I will simply make a new ios.ini file.

 ansible]$ touch ios.ini
ansible]$ vi ios.ini
(add my ip for this switch)

Now if we tie this all together in a single command, it will execute our playbook from the newly created inventory file, keep in mind this inventory file can be 1 or 100s of IOS devices, in this case it’s just 1 switch.

 ansible]$ ansible-playbook -i ios.ini playbooks/ios_test.yml


[WARNING]: Skipping plugin (/usr/lib/python2.7/site-
packages/ansible/plugins/connection/accelerate.py) as it seems to be invalid:
cannot import name key_for_hostname
/usr/lib/python2.7/site-packages/requests/__init__.py:80: RequestsDependencyWarn                                                                                                                                                             ing: urllib3 (1.22) or chardet (2.2.1) doesn't match a supported version!
  RequestsDependencyWarning)

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
[WARNING]: Ignoring timeout(10) for ios_facts
[WARNING]: default value for `gather_subset` will be changed to `min` from
`!config` v2.11 onwards
ok: [x.x.x.x]

TASK [Setting banner MOTD on switch] *******************************************
ok: [x.x.x.x]

PLAY RECAP *********************************************************************
x.x.x.x                   : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Please disregard the warnings, these are due to the fact that I am using a newer ansible version.

If your PLAY RECAP shows change=1 or more, then that means the play was a success and next time you login to your switch you’ll have a new banner!

You can continue to build playbooks now and load the var_file we created at the beginning of this to make more advance and indepth playbooks to begin down the path of automating your network infrastructure.


More details about IOS modules, network_cli options & variables can be found below

https://docs.ansible.com/ansible/latest/plugins/connection/network_cli.html

https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html

https://docs.ansible.com/ansible/latest/modules/list_of_network_modules.html#ios

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.