Like most computer systems, network devices like routers and switches can also be managed through Ansible. Ansible has a modular design that enables it to deal with a large variety of devices. It already ships with a number of modules, and in cases where no specific module is available users can still leverage general usage modules like RAW, SHELL or COMMAND.
Every action executed by Ansible modules must be previously defined in “playbooks”. Actions defined in a playbook will be executed through SSH, dispensing any additional piece of software on client side such as a software agent.
The use of SSH makes Ansible compatible with a larger range of devices and its adoption way simpler.
First step: Defining the Inventory
Every device that will be managed has to be previously defined in Ansible inventory, that is defined on the file /etc/ansible/hosts.
You can organize your inventory in groups that can be combined making larger groups to better reflect the way devices are distributed, like groups of switches per floor that can be combined making a big group containing all floors in a building. To make a group of groups use the :children suffix.
#FL1_SW group with 3 IP addresses [FL1_SW] 10.200.120.15 10.200.120.16 10.200.120.17 #FL2_SW group with 3 IP addresses [FL2_SW] 10.200.121.15 10.200.121.16 10.200.121.17 #BUILDING_1 group containing both floors [BUILDING_1:children] FL1_SW FL1_SW
Plan the Changes Through Playbooks
The playbooks are defined on text files with the .yml (yet another markup language) extension 1)https://docs.ansible.com/ansible/playbooks.html.
For every device or system to be managed through Ansible there must be a module 2)https://docs.ansible.com/ansible/list_of_network_modules.html#. For example, for managing Cisco-IOS devices you should use either ios_command or ios-config module, depending if you want to execute commands on EXEC mode or actually change the device configuration through CONFIGURE mode 3)http://docs.ansible.com/ansible/ios_config_module.html.
As an example, the playbook defined below will change a configuration section on a group of IOS devices:
--- - hosts: BUILDING_1 gather_facts: no connection: local tasks: - name: OBTAIN LOGIN CREDENTIALS include_vars: secrets.yml - name: set provider set_fact: provider: host: "{{ inventory_hostname }}" username: "{{ creds['username'] }}" password: "{{ creds['password'] }}" auth_pass: "{{ creds['auth_pass'] }}" - name: Remove IP helper address from Vlan10 interface ios_config: provider: "{{ provider }}" authorize: yes lines: - no ip helper-address 10.1.2.20 - no ip helper-address 10.1.5.20 parents: ['interface Vlan10'] match: exact save: yes
Note that the playbook references file “secrets.yml”. This file contains the SSH credentials and also the ENABLE password (if it’s a Cisco device) and looks like the following:
#Replace 'cisco' by your SSH login and password and enable password --- creds: username: cisco password: "cisco" auth_pass: "cisco"
Bringing Ansible into Action: Executing the Playbook
So far we have just defined the inventory with the devices that we want to configure and added the command lines to be executed by those devices to the playbook. No action has been yet performed by any device though.
To actually deploy the playbook to our inventory and run the defined commands we call the ansible-playbook utility on the Ansible server CLI passing the name of the yml file that contains the playbook:
ansible-playbook iphelper.yml
The file iphelper.yml contain the playbook defined previously. If you look into the playbook definition, the section “lines” contains the actions to be executed (no ip helper-address …). All those actions will be executed within the context defined in the section “parents” (interface Vlan10).
This playbook will only affect the group defined in the section “hosts” of the playbook, that is BUILDING_1.
Adjusting and Verifying Playbook Execution
You can better limit and control the devices affected by the playbook using the command line option --limit
4)https://ansible-tips-and-tricks.readthedocs.io/en/latest/ansible/commands/#limit-to-one-or-more-hosts.
The example below will execute the playbook defined in iphelper.yml affecting group BUILDING_1, except for the subgroups FL1_SW and FL2_SW.
ansible-playbook iphelper.yml --limit 'BUILDING_1:!FL1_SW:!FL2_SW'
Before executing any playbook, you might want to check if there’s no syntax errors on it. To do that, use the command ansible-playbook with the --syntax-check
flag.
ansible-playbook iphelper.yml --syntax-check
You also might want to check what hosts will be affected by a playbook before you run it. To do that, use ansible-playbook with the --list-hosts
flag.
ansible-playbook iphelper.yml --list-hosts
Further examples of network devices management with Ansible, especially Cisco devices using the ios_command and ios_config modules are available in the links below:
- Network Automation With Ansible
- A Week with Ansible for Cisco IOS
- Kicking the tires with the new Ansible Network Modules
References
1. | ↑ | https://docs.ansible.com/ansible/playbooks.html |
2. | ↑ | https://docs.ansible.com/ansible/list_of_network_modules.html# |
3. | ↑ | http://docs.ansible.com/ansible/ios_config_module.html |
4. | ↑ | https://ansible-tips-and-tricks.readthedocs.io/en/latest/ansible/commands/#limit-to-one-or-more-hosts |