This document discusses using Ansible to automate network device configuration and management. It describes how Ansible allows networks to be treated as code, enabling repeatable configurations, collaboration between teams, and integrating networks into development workflows and pipelines. Modules are presented for configuring various network devices like Cisco, Juniper, F5 and others. Playbooks demonstrate automating tasks like access control list and object configuration. The benefits of automation include reduced errors, focus on architecture rather than manual tasks, and consistency across many devices simultaneously.
3. 3
It’s your single source of truth
● Backups/restores can be automated
● Changes can be incremental or wholesale
● Manage “golden” versions of configurations (in source control)
Configuration management and verification
Ensure an on-going steady-state
● Daily, weekly, monthly scheduled tasks
Why Automate?
5. 5
Ansible for Network Devices
Next-Gen Network Ops
• Community culture
• Risk aware
• Open solutions
• Teams collaborating
• Infrastructure as code
• Virtual prototyping / DevOps
Traditional Network Ops
• Traditional culture
• Risk averse
• Proprietary solutions
• Siloed from others
• “Paper” practices, MOPs
• “Artisanal” networks
6. 6
Network Modules (literally over one hundred)
A10
Apstra
Arista EOS (cli, eAPI)
AVI Networks
Big Switch Networks
Cisco ASA, IOS, IOS-XR, NX-OS
Citrix Netscaler
Cumulus Linux
Dell OS6, OS9, OS10
Exoscale
F5 BIG-IP
Fortinet
Huawei
Illumos
Juniper Junos
Lenovo
Ordnance
NETCONF
Netvisor
Openswitch
Open vSwitch (OVS)
Palo Alto PAN-OS
Nokia SR OS
VyOS
7. 7
- hosts: "{{ target_hosts | default('null-hosts') }}"
connection: local
vars:
device_info:
host: "{{ inventory_hostname }}"
username: admin
password: password
authorize: yes
auth_pass: password
tasks:
- name: create object group
asa_config:
lines:
- range 192.168.100.0 192.168.100.255
parents: ['object network inside-net']
provider: "{{ device_info }}"
register: result
- debug: var=result
- name: add ACL on outside interface
asa_acl:
lines:
- access-list outside-in extended permit ip any object inside-net
provider: "{{ device_info }}"
Playbooks for Network Devices
}
}
}
Basic variables used as part of device authentication.
Note the separate enable password.
Using the module asa_config to configure the device.
Pass in the variables previously defined.
Register the result.
Use the module asa_acl to configure the device.
Use the object we defined earlier.
8. 8
What does it all mean?
As a developer you can:
Include networks in your deployment pipelines.
Configure firewall rules for your apps.
Use the automation language you love.
9. 9
Doing it the devops way
Use your favourite deployment tool to configure networks as part of a pipeline.
11. 11
Doing it the devops way
● Include all network changes that your application needs.
● Tie specific network configurations to your application.
● Fewer config backups (the network config is stored either with the
application and / or in a source code repository).
● Make everything repeatable
● Treat your network devices as part of an application.
12. 12
PIPELINE DEPLOY DEMO
Fedora Tomcat Server
192.168.100.126
Jenkins and Ansible Server
192.168.100.88
Cisco 5510 ASA
192.168.100.0/24
Inside 192.168.100.126
Outside 203.44.161.142
Internet Client
203.xx.xx.xx
13. 13
What does it all mean?
As a network admin you can:
Stop worrying about day to day drudgery.
Focus on architecture.
Make everything repeatable.
Treat the network as a whole rather than individual devices.
14. 14
Doing it the devops way
● Run automated checks pre and post changes.
● Push mundane changes to multiple devices all at once
● Who wants to do an acl change across 100 devices?
● Who wants to update snmp community strings on 1000 devices?
● Who wants to have a completely consistant TOR switch config?
Nobody
Nobody
Everyone
15. 15
MULTI DEPLOY DEMO
Ansible Server
192.168.100.88
Cisco 5510 ASA
192.168.100.0/24
Inside 192.168.100.126
Outside 203.44.161.142
13.70.137.188
13.73.111.80
13.70.139.137
13.70.137.164
Local post
commit hook
17. 17
Things to watch for
Paramiko options in your ansible installation may need to change for
network devices.
Some of the options I changed were:
[paramiko_connection]
record_host_keys=False
look_for_keys = False
[persistent connection]
connect_timeout = 30
connect_retries = 30
connect_interval = 1
18. 18
Call to action
The ansible community is vast and welcoming.
If there is anything that you'd like to see included in modules, please don't
be shy and participate in the community.
https://www.ansible.com/community