1. Stefanus Soehono
Associate Principle Solution Architect
NETWORK AUTOMATION WITH ANSIBLE

2. Why Automation for Networks?

3. MANAGING NETWORKS
HASN’T CHANGED
IN 30 YEARS.

4. WHAT IS THE PRIMARY METHOD OF MAKING NETWORK CHANGES
IN YOUR ENVIRONMENT?

5. WHY HASN’T NETWORKING CHANGED?
PEOPLE PRODUCTS
Infrastructure-focused features
Baroque, CLI-only methodologies
Siloed technologies
Monolithic, proprietary platforms
Domain specific skillsets
Vendor oriented experience
Siloed organizations
Legacy operational practices

6. WHAT IS ANSIBLE?
a company acquired by Red Hat …...………….....
an application ………………..………...………….
a framework ……………………..…………..
an API ……………………..……………….
a language ………………..……….
YES
YES
YES
YES
YES

7. THE MOST POPULAR OPEN SOURCE AUTOMATION PLATFORM
Goal:
Unify provisioning, configuration, and application deployment
Result: Ansible
A python-based command line engine that interprets and executes
YAML-based “Playbooks” that contain one or more “plays” or tasks.

8. 1650+~3,700 500,000
downloads/monthcontributors modules included

9. BIGGEST CHALLENGE FOR ENTERPRISES: CULTURE!
Traditional Network Ops Next-Gen Network Ops
• Legacy culture
• Risk averse
• Proprietary solutions
• Siloed from others
• “Paper” practices, MOPs
• “Artisanal” networks
• Community culture
• Risk aware
• Open solutions
• Teams of heroes
• Infrastructure as code
• Virtual prototyping / DevOps

10. ROI VALUE OF AUTOMATION
REDUCE COST
REDUCE lock-in, 40+ networking
platforms included
DO MORE with less
BECOME proactive instead of reactive
APPLY business rules more quickly
GROW REVENUE
PROVIDE new services and apps
ADDS capacity with new customers
and workloads
STREAMLINES and standardizes
security and risk mitigation
FASTER time to market

11. WHY ANSIBLE FOR NETWORK AUTOMATION?
BUILD
with Red Hat Ansible Engine
● Get automating quickly.
● Integrate multi-vendor
configurations.
● Ideal for both existing and
greenfield.
Automate
discrete tasks
MANAGE
with Red Hat Ansible Engine
● Methodically track
configuration drift.
● Make changes across any set
of network devices.
● Validate that changes were
successful.
Automate
business processes
SCALE
with Red Hat Ansible Tower
● Ensure ongoing steadystate
on a schedule.
● Use role-based access
controls with specific teams.
● Integrate external third-party
solutions with RESTful API.
Orchestrate & operationalize
automation
Configure, validate, & ensure continuous compliance for physical network devices

12. Infrastructure as YAML
• Backups/restores can be automated
• Manage “golden” versions of configurations
Configuration management
• Changes can be incremental or wholesale
• Make it part of the process: agile, waterfall, etc.
Ensure an on-going steady-state
• Daily, weekly, monthly scheduled tasks
• State checking and validation
HOW ARE THEY GETTING THERE?
“Start small, Think big!”

13. HOW DOES NETWORK AUTOMATION WORK?
NETWORKING
DEVICES
LINUX/WINDOWS
HOSTS
LOCAL EXECUTION
Module code is
copied to the
managed node,
executed, then
removed
Module code is
executed locally
on the control
node
REMOTE EXECUTION

14. DEV NETWORK IT OPERATIONSBUSINESS
ANSIBLE IS THE UNIVERSAL LANGUAGE

15. Case Study: Surescripts
Red Hat Ansible Tower helps speed network
configuration, server administration, and software
development for e-prescription provider
Automating 700+ RHEL servers,
Windows servers, and F5 load balancers
with Ansible Tower.
“...because [Ansible Tower] keeps track of all jobs,
we can go back and see what jobs ran...because you
never know when you’ll need that information.”
Benefited by:
● Reduced downtime due to human error
● Testing changes virtually increased confidence
● Ability to automate “everything”
● Enhanced logging enabled compliance
“...the biggest win we’ve had with network
automation is the ability to failover between our
datacenters. Downtime went from hours to
minutes.”
AVAILABLE
NOW!
https://www.redhat.com/en/resources/surescripts-customer-case-study

16. NETWORKTOCODE – NETDEVOPS SURVEY (NOV. 2016)
“Which of the following tools are you interested in or have you deployed?”

17. OPEN SOURCE
(COMMUNITIES)
RED HAT ANSIBLE AUTOMATION
(ENTERPRISE)
OPS - IT Managers, “Teams”
DEV - Playbook Authors, “Individuals”
Bottom-up
influence
Top-down
strategy

18. DEVICE CENTRIC
NETWORK AUTOMATION
CLOUD CENTRIC
NETWORK AUTOMATION
APPLICATION CENTRIC
NETWORK AUTOMATION
- Build and push
device
configurations
- Automate tactical
operations on
network devices
- Automate network
devices in support of
applications
- Support direct to
device and controller
based virtualization
- Describe and deploy
network connectivity
between clouds
- Support public/private
and/or public/public clouds

19. SIMPLE POWERFUL AGENTLESS
Gather Information and Audit
Configuration management
Workflow orchestration
Manage ALL IT infrastructure
Human readable automation
No special coding skills needed
Tasks executed in order
Get productive quickly
Agentless architecture
Uses OpenSSH and paramiko
No agents to exploit or update
More efficient & more secure

20. ANSIBLE AUTOMATION ENGINE
CMDB
USERS
INVENTORY
HOSTS
NETWORK
DEVICES
PLUGINS
CLI
MODULES
PUBLIC / PRIVATE
CLOUD
PUBLIC / PRIVATE
CLOUD
ANSIBLE PLAYBOOK
CORE NETWORK COMMUNITY

21. RED HAT ANSIBLE ENGINE CORE MODULES
• Developed, tested, and maintained by Red Hat
• ~100 modules and growing
• Fully supported: we’ll report and fix problems
• Side note: we’re actively working with other
Red Hat product teams to get their modules
into Engine as core modules:
E.g. oVirt, redhat_subscription, IPA, etc.
CORE MODULES INCLUDED:
commands
files
inventory actions
basic network actions
Packaging (i.e. yum)
source control
systems
Utilities
AWS
Windows

22. PLAYBOOK EXAMPLE
---
- name: run multiple commands and evaluate the output
hosts: ios01
tasks:
- name: show version and show interfaces
ios_command:
commands:
- show version
- show interfaces
wait_for:
- result[0] contains IOS
- result[1] contains Loopback0

23. PLAYBOOK EXAMPLE – REAL WORLD
---
- name: configure ios interface
hosts: ios01
connection: network_cli
tasks:
- name: collect device running-config
ios_command:
commands: show running-config interface GigabitEthernet0/2
register: config
- name: administratively enable interface
ios_config:
lines: no shutdown
parents: interface GigabitEthernet0/2
when: ‘”shutdown” in config.stdout[0]‘

24. PLAYBOOK EXAMPLE – REAL WORLD (CONT.)
---
- name: verify operational status
ios_command:
commands:
- show interfaces GigabitEthernet0/2
- show cdp neighbors GigabitEthernet0/2 detail
waitfor:
- result[0] contains ‘line protocol is up’
- result[1] contains ‘iosxr03’
- result[1] contains ’10.0.0.42’
provider: “{{ cli }}”

25. PLAYBOOK EXAMPLE – REAL WORLD (RESULTS)
(ansible)[network]$ ansible-playbook ios_interface.yaml
PLAY [configure ios interface] *************************************
TASK [collect device running-config] *******************************
ok: [ios01]
TASK [administratively enable interface] ***************************
changed: [ios01]
TASK [verify operational status] ***********************************
ok: [ios01]
PLAY RECAP *********************************************************
ios01 : ok=3 changed=1 unreachable=0 failed=0

26. INSERT DESIGNATOR, IF NEEDED27
- name: configure eos system properties
eos_system:
domain_name: ansible.com
vrf: management
when: ansible_network_os == 'eos'
- name: configure nxos system properties
nxos_system:
domain_name: ansible.com
vrf: management
when: ansible_network_os == 'nxos'
- name: configure ios system properties
ios_system:
domain_name: ansible.com
lookup_enabled: yes
when: ansible_network_os == 'ios'
● Per Platform Implementation
● Focused on managing a resource
● Declarative by design
● Handles complexity
Network Resource Modules

27. INSERT DESIGNATOR, IF NEEDED
- name: configure network interface
net_interface
name: “{{ interface_name }}”
description: “{{ interface_description }}”
enabled: yes
mtu: 9000
state: up
- name: configure VLAN ID and name
net_vlan:
vlan_id: 20
name: test-vlan - iosxr_interface:
...
- iosxr_vlan:
...
28
- nxos_interface:
...
- nxos_vlan:
...
- junos_interface:
...
- junos_vlan:
...
- eos_interface:
...
- eos_vlan:
...
- ios_interface:
...
- ios_vlan:
...
Network Resource Modules

28. ANSIBLE NETWORK AUTOMATION
ansible.com/for/networks
galaxy.ansible.com/ansible-network
Ansible Network modules comprise 1/3 of all modules that ship with Ansible Engine
700+
Network
Modules
50
Network
Platforms
12*
Galaxy
Network Roles

29. 7 Platforms
28 Modules
17 Platforms
141 Modules
29 Platforms
267 Modules
33 Platforms
463 Modules
2.1
May 2016
2.2
Oct 2016
2.3
Apr 2017
2.4
Sep 2017
NETWORK AUTOMATION PROGRESS
40 Platforms
572 Modules
2.5
Mar 2018
45 Platforms
639 Modules
2.6
Jun 2018
50 Platforms
700 Modules
2.7
Oct 2018

30. A10
Apstra AOS
Arista EOS, CVP
Aruba Networks
AVI Networks
Big Switch Networks
Brocade Ironware
Cisco ACI, AireOS, ASA, Firepower,
IOS, IOS-XR, Meraki, NSO, NX-OS
Citrix Netscaler
Cumulus Linux
Dell OS6, OS9, OS10
MikroTik RouterOS
Openswitch (OPX)
Ordnance
NETCONF
Netvisor
OpenSwitch
Open vSwitch (OVS)
Palo Alto PAN-OS
Nokia NetAct, SR OS
Ubiquiti EdgeOS
VyOS
NETWORK MODULES: BUILT-IN DEVICE ENABLEMENT
Exoscale
Extreme EX-OS, NOS,
SLX-OS, VOSS
F5 BIG-IP, BIG-IQ
Fortinet FortIOS, FMGR
Huawei CloudEngine
Illumos
Infoblox NIOS
Juniper JunOS
Lenovo CNOS, ENOS
Mellanox ONYX

31. RED HAT ANSIBLE NETWORK AUTOMATION
• Developed, maintained, tested, and supported
by Red Hat, includes Ansible Engine, Ansible Tower
• 140+ supported modules and growing*
• Red Hat reports and fixes problems
• Networking Modules and Roles included
*take special note of the specific supported platforms
NETWORK MODULES INCLUDED SUPPORT:
Arista EOS
Cisco IOS
Cisco IOS XR
Cisco NX-OS
Infoblox NIOS
Juniper Junos
Open vSwitch
VyOS

32. RED HAT ANSIBLE TOWER
RED HAT ANSIBLE ENGINE
Scale + operationalize your automation
Support for your Ansible automation
CONTROL KNOWLEDGE DELEGATION
SIMPLE POWERFUL AGENTLESS
FUELED BY AN INNOVATIVE OPEN SOURCE COMMUNITY

33. Building, managing dynamic inventory
Organizing admin control with users and teams
Leverage Ansible Workflows to break up tasks
Ongoing compliance
-compare running configs to golden masters
on schedules
Utilize the RESTful API for anything
WHY ANSIBLE TOWER FOR NETWORKS

34. Well Defined Role Based API
API DRIVEN INFRASTRUCTURE
Easily Customizable Back End
Servers
Storage
Networking
{|}

35. ControlVersion
Notifies of
pass / failCheck Out Branch
Monitors
repository for
changes
Deploy Playbooks
Test changes
Notifies of
deployment
Notify of PR
Check In Branch /
Create PR
Make Changes
Merge Branch
Pulls new
Playbooks
Ansible Playbook
NETWORK CI WORKFLOW
1
2
3 4

36. • Information / Inventory Retrieval and Configuration
– Ad hoc or bulk
– Iteration over specific network segments, VLANs, VRFs
– Credential management with Tower Vault
• State Checking and Validation
– Compare running configs to desired configs
• Invocation of Tasks/Playbooks
– Manually, API via Tower, Scheduled via Tower
AUTOMATION USE CASE EXAMPLES

37. AUTOMATION USE CASE EXAMPLES
• Continuous Compliance
– Combining stateful validation with schedules
– Logging and Aggregation
• Integrations
– ZTP post-install NOS handoff to Ansible
– External APIs using Tower-CLI
• Splunk, ServiceNow, VMware, Elastic
• Atlassian, GitLab, Jenkins, and most all Red Hat products

38. Learn Ansible
• Join existing Ansible network automation communities
• Take Ansible training courses from Red Hat or elsewhere
Develop success criteria
• Create specific goals that require planning, tailored to your organization
• Create phases to ensure people and processes aren’t alienated
Start small!
• Create Playbooks that read or check only
• Create simple jobs that eliminate the most annoying tasks
• Leverage existing knowledge internally
WHERE DO I BEGIN?

39. It’s a strategy, it’s a journey
No need to abandon or redefine network operations
• Build with Ansible for bridges between legacy and modern
networks
Foster and leverage tribal knowledge
AUTOMATION IS NOT JUST A TOOL

40. RESOURCES
Ansible Networking Homepage:
ansible.com/networking
Download the latest Ansible:
releases.ansible.com/ansible/
Evaluate Ansible Tower:
ansible.com/tower-trial/
Email: gettingstarted@ansible.com
Join the Community
Users list: ansible-project
Development list: ansible-devel
Announcement list: ansible-announce (read only)
irc.freenode.net: #ansible
slack.networktocode.com: #ansible