Bulk Device Configuration with Ansible

Like most computer systems, network devices like routers and switches can also be managed through Ansible. Ansible has a modular design that enables it to deal with a large variety of devices. It already ships with a number of modules, and in cases where no specific module is available users can still leverage general usage modules like RAW, SHELL or COMMAND.

Every action executed by Ansible modules must be previously defined in “playbooks”. Actions defined in a playbook will be executed through SSH, dispensing any additional piece of software on client side such as a software agent.

The use of SSH makes Ansible compatible with a larger range of devices and its adoption way simpler.

First step: Defining the Inventory

Every device that will be managed has to be previously defined in Ansible inventory, that is defined on the file /etc/ansible/hosts.

You can organize your inventory in groups that can be combined making larger groups to better reflect the way devices are distributed, like groups of switches per floor that can be combined making a big group containing all floors in a building. To make a group of groups use the :children suffix.

#FL1_SW group with 3 IP addresses
[FL1_SW]
10.200.120.15
10.200.120.16
10.200.120.17

#FL2_SW group with 3 IP addresses
[FL2_SW]
10.200.121.15
10.200.121.16
10.200.121.17

#BUILDING_1 group containing both floors
[BUILDING_1:children]
FL1_SW
FL1_SW

Plan the Changes Through Playbooks

The playbooks are defined on text files with the .yml (yet another markup language) extension 1)https://docs.ansible.com/ansible/playbooks.html.

For every device or system to be managed through Ansible there must be a module 2)https://docs.ansible.com/ansible/list_of_network_modules.html#. For example, for managing Cisco-IOS devices you should use either ios_command or ios-config module, depending if you want to execute commands on EXEC mode or actually change the device configuration through CONFIGURE mode 3)http://docs.ansible.com/ansible/ios_config_module.html.

As an example, the playbook defined below will change a configuration section on a group of IOS devices:

---
- hosts: BUILDING_1
gather_facts: no
connection: local

tasks:
- name: OBTAIN LOGIN CREDENTIALS
include_vars: secrets.yml

- name: set provider
set_fact:
provider:
host: "{{ inventory_hostname }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
auth_pass: "{{ creds['auth_pass'] }}"

- name: Remove IP helper address from Vlan10 interface
ios_config:
provider: "{{ provider }}"
authorize: yes
lines:
- no ip helper-address 10.1.2.20
- no ip helper-address 10.1.5.20
parents: ['interface Vlan10']
match: exact
save: yes

Note that the playbook references file “secrets.yml”. This file contains the SSH credentials and also the ENABLE password (if it’s a Cisco device) and looks like the following:

#Replace 'cisco' by your SSH login and password and enable password
---
creds:
username: cisco
password: "cisco"
auth_pass: "cisco"

Bringing Ansible into Action: Executing the Playbook

So far we have just defined the inventory with the devices that we want to configure and added the command lines to be executed by those devices to the playbook. No action has been yet performed by any device though.

To actually deploy the playbook to our inventory and run the defined commands we call the ansible-playbook utility on the Ansible server CLI passing the name of the yml file that contains the playbook:

ansible-playbook iphelper.yml

The file iphelper.yml contain the playbook defined previously. If you look into the playbook definition, the section “lines” contains the actions to be executed (no ip helper-address …). All those actions will be executed within the context defined in the section “parents” (interface Vlan10).

This playbook will only affect the group defined in the section “hosts” of the playbook, that is BUILDING_1.

Adjusting and Verifying Playbook Execution

You can better limit and control the devices affected by the playbook using the command line option --limit 4)https://ansible-tips-and-tricks.readthedocs.io/en/latest/ansible/commands/#limit-to-one-or-more-hosts.

The example below will execute the playbook defined in iphelper.yml affecting group BUILDING_1, except for the subgroups FL1_SW and FL2_SW.

ansible-playbook iphelper.yml --limit 'BUILDING_1:!FL1_SW:!FL2_SW'

Before executing any playbook, you might want to check if there’s no syntax errors on it. To do that, use the command ansible-playbook with the --syntax-check flag.

ansible-playbook iphelper.yml --syntax-check

You also might want to check what hosts will be affected by a playbook before you run it. To do that, use ansible-playbook with the --list-hosts flag.

ansible-playbook iphelper.yml --list-hosts

Further examples of network devices management with Ansible, especially Cisco devices using the ios_command and ios_config modules are available in the links below:

References   [ + ]

1. https://docs.ansible.com/ansible/playbooks.html
2. https://docs.ansible.com/ansible/list_of_network_modules.html#
3. http://docs.ansible.com/ansible/ios_config_module.html
4. https://ansible-tips-and-tricks.readthedocs.io/en/latest/ansible/commands/#limit-to-one-or-more-hosts

Leave a Reply

Your email address will not be published. Required fields are marked *