Ansible Networking

Modules
Ivan Pepelnjak (ip@ipSpace.net)
Network Architect

ipSpace.net AG

This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Who is Ivan Pepelnjak (@ioshints)
Past
• Kernel programmer, network OS and web developer
• Sysadmin, database admin, network engineer, CCIE
• Trainer, course developer, curriculum architect
• Team lead, CTO, business owner
Present
• Network architect, consultant, blogger, webinar and book author
Focus
• SDN and network automation
• Large-scale data centers, clouds and network virtualization
• Scalable application design
• Core IP routing/MPLS, IPv6, VPN

More @ ipSpace.net/About
2 This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Ansible Networking Modules (Ansible 2.2)
Switches and routers:
• Arista EOS
• Cisco IOS, IOS-XR, NX-OS
• Cumulus Linux
• Dell OS6, OS9, OS10
• Junos
• OpenSwitch
• Nokia SR OS
• Vyos
Load balancers: A10, Citrix, F5

Firewalls: ASA, Palo Alto (Galaxy)

Other:
• Open vSwitch
• NETCONF config

3 This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Ansible Support for Switches and Routers
• Introduced in Ansible 2.1
• Similar interface for EOS, IOS, IOS-XR, NX-OS and Junos
• No abstraction – you have to deal with configuration differences

Common tasks (all platforms)

• Config (manage configurations)
• Command (execute arbitrary commands)
• Template (manage configurations built from templates)

4 This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
 Changing Device
Configuration

This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Changing Network Device Configuration with Ansible
Generic solutions:
• Execute individual configuration commands (Arista, Cisco, Juniper, Vyos)
• Push template-generated configuration to the device (Arista, Cisco,
Juniper)

Device-specific tasks:
• Cisco ASA: manage ACLs
• Cumulus Linux: Configure bonds (LAGs), bridges, interfaces
• Junos: manage NETCONF and packages
• Nexus OS: manage features, interfaces, IP interfaces, switchports,
VLANs, VRF and VRRP, BGP and OSPF, VXLAN and EVPN, IGMP…

6 This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
 Simple Changes with
Device-Specific Tasks

This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Enable Nexus OS Features (Nexus 9000 only)

---
- hosts: nxos
tasks:
- nxos_feature:
feature: "{{item}}"
state: enabled
provider: "{{cli}}"
with_items: [ ospf,bgp,nxapi,lacp]

• Enables or disables specified Nexus OS features

Returns:
• Commands sent to the device
• Proposed feature state
• Existing feature state and end state

8 This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Enable Nexus API

---
- hosts: nxos
tasks:
- nxos_nxapi:
provider: "{{cli}}"
state: "{{API|default('started')}}"

Enables or disables NXAPI

Parameters
• State
• Enable HTTP or HTTPS
• HTTP and HTTPS ports
• Sandbox

9 This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Enabling NXAPI

$ ansible-playbook -v nexus-enable-api.yml
$ ansible-playbook -v nexus-enable-api.yml 
--extra-vars "API=stopped"

Demo 1
10This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Create VLANs on Nexus OS: Data Model

# all.yml
…
#
# List of VLANs present on all switches
# VLAN 1 must be present and have name default
#
vlans:
- { id: "1", name: "default" }
- { id: "100", name: "mgmt", subnet: "172.16.1.0/24"}
- { id: "101", name: "web", subnet: "192.168.201.0/24"}
- { id: "110", name: "db", subnet: "192.168.202.0/24"}
# s1.lab.local.yml
---
interfaces:
- { vlan: "100", ip: 172.16.1.101 }
- { vlan: "101", ip: 192.168.201.3 }
- { interface: "loopback0", prefix: "192.168.0.1/32"}

11This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Create VLANs on Nexus OS

---
- hosts: nxos
name: configure VLANs
tags: VLAN
tasks:
- nxos_vlan:
provider: "{{nxapi}}"
vlan_id: "{{item.id}}"
state: "{{item.state | default('present') }}"
admin_state: "{{ item.admin | default('up') }}"
name: "{{item.name}}"
with_items: "{{vlans}}"

Parameters:
• VLAN ID or range, VLAN name
• State, administrative status
Demo 2
12This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Creating Nexus OS VLANs

$ ansible-playbook -v nexus-vlan-set.yml

13This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Identify Extra VLANs

---
- hosts: nxos
name: configure VLANs
tags: VLAN
tasks:
- nxos_vlan: …
with_items: "{{vlans}}"
register: vlan_state
- set_fact:
vlans_list: "{{vlan_state.results[0].
existing_vlans_list}}"
- set_fact:
target_list: "{{ vlans|map(attribute='id')|list }}"
- fail: msg="Extra VLAN configured on {{inventory_hostname}}"
when: "{{ vlans_list | difference(target_list) }}"

14This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Ansible Aside: Registered Variables and Loops

…
- nxos_vlan: …
with_items: "{{vlans}}"
register: vlan_state
- set_fact:
vlans_list: "{{vlan_state.results[0].
existing_vlans_list}}"

• register parameter stores task results in specified variable

• When using loops, the specified variable contains results list
• results list contains task results (one item per iteration)

15This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Ansible Aside: Map Filter

…
- set_fact:
target_list: "{{ vlans|map(attribute='id')|list }}"

map filter can be used to:

• Extract attributes from list of dictionaries
• Perform a filter operation on every item in the list
example: list-of-integers | map(‘string’)
• Result of a map filter is a generator, to convert it to list use list filter

16This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Ansible Aside: Set Filters

…
- fail: msg="Extra VLAN configured on {{inventory_hostname}}"
when: "{{ vlans_list | difference(target_list) }}"

Set filters available in Ansible

• unique return unique values from a list
• union returns elements present in at least one of the lists
• intersect returns elements present in both lists
• difference returns elements present in first list but no in the second one
• symmetric_difference
returns union of differences

Warning: 1 and “1” are different elements

17This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Creating Nexus OS VLANs

$ ansible-playbook -v nexus-vlan.yml --tags VLAN

Demo 3
18This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Create Interfaces on Nexus OS

---
Parameters:
- hosts: nxos • Interface name
name: configure interfaces • State (present, absent)
tags: interface • Administrative state
tasks: (up, down)
- nxos_interface:
provider: "{{nxapi}}"
interface: "Vlan{{item.vlan}}"
admin_state: up
with_items: "{{interfaces}}"
when: "{{item.vlan}}"
- nxos_interface:
provider: "{{nxapi}}"
interface: "{{item.interface}}"
admin_state: up
with_items: "{{interfaces}}"
when: "{{item.interface}}"

Demo 4
19This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Checking Configuration Changes

$ ansible-playbook -v --check nexus-interfaces.yml

20This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Execute Configuration Changes

$ ansible-playbook -v nexus-interfaces.yml

21This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Configure IP Interfaces on Nexus OS

---
- hosts: nxos
name: configure interface IP addresses
tags: interface for VLAN interfaces
tasks:
- nxos_ip_interface:
provider: "{{nxapi}}"
interface: "Vlan{{item.vlan}}"
version: v4
addr: "{{item.ip}}"
mask: "{% set v = vlans|selectattr('id','equalto',item.vlan) 
|first %}{{ v.subnet|ipaddr('prefix') }}"
with_items: "{{interfaces}}"
when: "{{ item.vlan is defined }}"

Parameters: interface name, IPv4 or IPv6 address, subnet mask, state (present|absent)

22This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Aside: Dealing with Broken Data Model

mask: "{% set v = vlans|selectattr('id','equalto',item.vlan) 

|first %}{{ v.subnet|ipaddr('prefix') }}"

vlans:
- { id: "100", name: "mgmt", subnet: "172.16.1.0/24"}
- { id: "101", name: "web", subnet: "192.168.201.0/24"}

Required operation:
• Find prefix for VLAN item.vlan

First steps
• Start with the vlans list of dictionaries
• Select all dictionaries from the list where the id key has value equal to item.vlan
(use selectattr, which is a generator)
• Select the first item from the generator
• Set Jinja2 variable v to the first item returned from the selectattr generator

23This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Aside: Dealing with Broken Data Model (2)

mask: "{% set v = vlans|selectattr('id','equalto',item.vlan) 

|first %}{{ v.subnet|ipaddr('prefix') }}"

vlans:
- { id: "100", name: "mgmt", subnet: "172.16.1.0/24"}
- { id: "101", name: "web", subnet: "192.168.201.0/24"}

Result from previous steps:

• Jinja2 variable v contains dictionary with id equal to item.vlan
Final steps
• Select the subnet key from the dictionary v
• Get the IP prefix from the subnet key using ipaddr filter
Why does it work?
• {% … %} is Jinja2 statement block (where you can set variables)
• {{ … }} is Jinja2 expression block (where you compute the value to insert in the template)

24This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Checking IP Address Configuration Changes

$ ansible-playbook -v --check nexus-ip-interfaces.yml

Demo 5
25This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Execute IP Address Configuration Changes

$ ansible-playbook -v nexus-interfaces.yml

26This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
 Generic Configuration
Changes

This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Managing Devices with Block Indent Configuration Syntax

Many networking device use “industry standard” configuration syntax:

• Cisco IOS, IOS XR, Nexus OS
• Arista EOS

Ansible xxx_config task takes these parameters:

• Configuration lines
• Parent configuration block
• Command(s) to execute before starting configuration change

The config task will:

• Retrieve the running configuration
• Compute commands necessary to bring running configuration to desired state
• Execute the minimal set of configuration commands

28This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Configure SNMP on Cisco IOS and Nexus OS

---
- hosts: ios
tasks:
- name: "Configure SNMP on IOS devices"
ios_config:
provider: "{{cli}}"
lines:
- "snmp-server community {{snmp_community}} RO"
- "snmp-server host {{snmp_host}} {{snmp_community}}"

- hosts: nxos
tasks:
- name: "Configure SNMP on Nexus OS devices"
nxos_config:
provider: "{{cli}}"
lines:
- "snmp-server user {{snmp_community}} network-operator"
- "snmp-server host {{snmp_host}} traps version 2 {{snmp_community}}"
- "snmp-server community {{snmp_community}} group network-operator"

29This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Check Configuration Changes

$ ansible-playbook -v config-simple.yml --check

Demo 6
30This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Make Configuration Changes

$ ansible-playbook -v config-simple.yml

31This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Make Configuration Changes … Again

$ ansible-playbook -v config-simple.yml

32This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
SNMP Configuration on Nexus OS

SW1# show run | include snmp

snmp-server contact admin@lab.local
snmp-server location Virtual
…
snmp-server user cisco network-operator
snmp-server host 172.16.1.12 traps version 2c cisco
snmp-server enable traps link
snmp-server community cisco group network-operator
…

33This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Configure BGP Neighbor on Cisco IOS

---
- hosts: ios
tasks:
- name: "Configure BGP"
ios_config:
provider: "{{cli}}"
parents:
- "router bgp 65000"
lines:
- "neighbor 172.16.1.101 remote-as 65001"

Demo 7
34This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Check BGP Configuration Changes

$ ansible-playbook -v config-bgp-ios.yml --check

35This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Make BGP Configuration Changes

$ ansible-playbook -v config-bgp-ios.yml

36This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Check BGP AS Number Before Configuring It

---
- hosts: ios
tasks:
- name: "Check BGP AS number"
ios_command:
provider: "{{cli}}" One of the few commands When this one is not
that prints BGP AS number empty…
commands:
- "show ip protocol summary | include bgp"
- "show ip protocol summary | include bgp 65000" … this one shouldn’t
be empty either
register: protocols
- name: "Check BGP AS Number"
fail: msg="BGP AS number mismatch {{protocols.stdout[0]}}"
when: "{{ protocols.stdout[0] and not (protocols.stdout[1]) }}"

Hint:
• First command will return some printout if BGP runs on the box
• Second command will return one line if BGP AS number matches
• Replace AS number with a variable in real-life playbook

37This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Check BGP AS Number

$ ansible-playbook -v config-bgp-ios-check.yml

Demo 8
38This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
 Configuring Order-
Sensitive Objects

This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Example: Configuring ACL

---
- hosts: ios
tasks:
- name: "Configure ACL on Cisco IOS"
ios_config:
provider: "{{cli}}"
parents:
- "ip access-list extended AllowedTraffic"
lines:
- "permit tcp any eq www any"
- "permit tcp any any eq www"
- "deny tcp any any log"
- "deny ip any any log"

Simplistic approach: let’s list the lines in the ACL and hope for the best

40This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Current and Desired ACL Contents

R1#show run | sect Allow

ip access-list extended AllowedTraffic
permit tcp any eq www any
deny tcp any any log
deny ip any any log

ip access-list extended AllowedTraffic

Usepermit
logging tcp any available
features eq www any
on your networking device
permit
• Log log-in tcp any any eq www
attempts
deny tcp any any log
• Log executed commands (TACACS+ or locally)
deny ip any any log

41This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
What Will Happen If We Just Add a Line?

$ ansible-playbook -v config-acl-add.yml

Demo 9
42This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Extra Line Is Inserted at the Bottom of ACL

R1#show run | sect Allow

ip access-list extended AllowedTraffic
permit tcp any eq www any
deny tcp any any log
deny ip any any log
permit tcp any any eq www

ACL is never fixed because Ansible checks for the presence of

configuration lines, not their order

43This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Changing the Matching Criteria

- ios_config:
provider: "{{cli}}"
parents:
- "ip access-list extended AllowedTraffic"
lines:
- "permit tcp any eq www any"
- "permit tcp any any eq www"
- "deny tcp any any log"
- "deny ip any any log“
match: exact

Match parameter specifies the configuration matching approach

• line  specified lines must be within the configuration block
• strict  lines must be matched with respect to position
• exact  specified lines must be an exact match with the configuration
• none  don’t bother, just execute the configuration commands (new in 2.2)

Demo 10
44This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Retrying with Exact Matching

$ ansible-playbook -v config-acl-add-exact.yml

45This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Extra Line Is Inserted at the Bottom of ACL

R1#show run | sect Allow

ip access-list extended AllowedTraffic
permit tcp any eq www any
deny tcp any any log
deny ip any any log
permit tcp any any eq www

ACL lines are still in an incorrect order

• Lines are added at the bottom of ACL
• Existing lines are not added to the ACL
• Even though Ansible resends all ACL lines nothing changes

We must remove the ACL before recreating it

46This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Execute a Command Before Changing Configuration

- ios_config:
provider: "{{cli}}"
parents:
- "ip access-list extended AllowedTraffic"
lines:
- "permit tcp any eq www any"
…
match: exact
before:
- "no ip access-list extended AllowedTraffic"

• before ordered set of commands to execute before changing configuration

• after ordered set of commands to execute after configuration change

Demo 11
47This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Remove and Recreate the ACL

$ ansible-playbook -v config-acl-add-before.yml

Second run:

48This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
 Deploying
Configuration Files

This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Deploying Configuration Files to Network Devices
Ansible network device configuration modules take two types of arguments:
• lines potentially combined with parents
• Configuration file or Jinja2 template (src parameter) that is merged with
the current configuration
• Both methods are implemented for Cisco ASA, Dell OS, Arista EOS,
Cisco IOS, IOS-XR and Nexus OS, Junos, Nokia SR OS and Vyos
All modules implement:
• backup parameter (save previous config to Ansible host)
Most modules provide:
• config parameter to supply baseline configuration
• save parameter to save running configuration to startup configuration

50This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Device Configuration Merge Process
When the src parameter is specified the device configuration modules:
• Generate current device configuration if needed
• Save current device configuration on Ansible host if the backup
parameter is specified
• Compare current device configuration or contents of config file with
configuration commands in src file using match and replace options
• Generate the minimum list of configuration commands to be executed on
the networking device to get the desired results
• Execute the configuration commands

51This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Device Configuration Merge Process: Junos
Junos_command module provides additional options:
• confirm timeout value for commit confirm
• replace replace or merge individual configuration objects (2.2)
• rollback rollback to specified (or most recent) commit
• src_format XML, set, text or json
• update update method: merge, overwrite or replace (2.3+)

52This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Simple Deployment of Configuration Files

---
- name: Enable command logging on Cisco IOS
hosts: ios
- name: Enable/Disable command logging
ios_config:
src: "enableLogging.cfg"
host: "{{ansible_host}}"
username: "{{ansible_user}}"
password: "{{ansible_ssh_pass}}"
register: results
- debug: var=results

Demo 12
53This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
Deployment of Configuration Templates

- name: Create and deploy OSPF configurations

hosts: all
vars:
configs: "{{inventory_dir}}/configs"
tasks:
- name: Create configuration directory
local_action: file path={{configs}} state=directory
run_once: true
tags: [ config ]

- name: Create configurations

template: src=ospf-config.j2 
dest={{configs}}/{{inventory_hostname}}.ospf.cfg
tags: [ config ]

- name: Deploy configurations

ios_config:
provider: "{{ios_provider}}"
src: "{{configs}}/{{inventory_hostname}}.ospf.cfg"
tags: [ deploy ]
register: changes

54This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations
 Questions?

Send them to ip@ipSpace.net or @ioshints

55This material is copyrighted

© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso
Ansible(mikel.maeso@gmail.com [85.87.178.33]).
for Networking Engineers – Managing More information at http://www.ipSpace.net/Webinars
Configurations