Configuration management (CM) utilities can automate the configuration of network devices, saving time and eliminating many of the human errors introduced during manual configuration.
While this functionality is rolled up in software-defined networking and intent-based networking products, it can also be tapped for free using open-source software.
This article shows how to use the free Ansible CM utility from RedHat running on a free Ubuntu Linux operating system within a virtual server created with free VirtualBox software. For the purposes of this cookbook, Ansible is used to automate CM for Cisco IOS-based routers, but Ansible modules are available for other vendors gear and other utilities, including A10, Aruba, Citrix Netscaler, F5, Fortinet, Juniper, Palo Alto Networks and others.
Step 1: Launch the Ansible server
First, go to this site, download and install VirtualBox software to create a virtual machine on your computer where you can install Ubuntu and then run Ansible.
Go to this site and download the Ubuntu 18.04.1 LTS desktop edition to your local hard drive.
Now using VirtualBox, create an Ubuntu virtual machine on which to run Ansible.
In VirtualBox, click the blue “New” icon.
Type in the name of our virtual server: Ansible Server.
Select the Type: Linux.
Select the Version: Ubuntu (64-bit), click Next.
Give this system 4 GB of RAM (4096 MB), click Next.
Use the defaults of using 10GB of hard disk storage, leave “Create a virtual disk now” checked, click Create.
Leave the default VDI selected, click Next.
Leave the default “Dynamically allocated” selected, click Next.
Leave the file location and size default settings, click Create.
You see that one virtual server has been created.
Now you need to make some configuration settings before booting it up.
Select the Ubuntu virtual server from the list of virtual servers in VirtualBox and click on the “Settings” cog button.
Select Storage on the left pane of the Setting options.
Next to Controller: IDE, click the button to “Adds Optical Drive” > Choose Disk > Select the Ubuntu 18.04.1 ISO file downloaded previously.
Select Network, on the left pane of Setting options.
Select Bridged Adapter, under Adapter 1 tab, make sure “Enable Network Adapter” is checked.
Select Attached to: “Bridged Adapter” and under Name select the Ethernet interface of your computer, then click OK.
Now you are ready to start the virtual machine.
Click the “Start” green right-arrow icon. (Now the Ubuntu operating system will start to boot up.)
Select your language: English, Install Ubuntu
English, English, click Continue
Choose Normal Installation, Download updates while installing, click Continue.
Select Erase disk, click Install Now, click Continue.
Select your timezone, click Continue.
Enter a name, enter the virtual computer name, username and password, click Continue.
Let it install the software. This takes a few minutes.
Click “Restart Now” when prompted.
When it prompts “Remove the installation media”, press Enter.
Now the system is running, and you can logon to the VirtualBox console as the user you just created.
Go through the introductory screens > Next > Next > Next > Done.
The default resolution can be pretty small for many computers, so you can increase it if you like. You might be able to simply scale the window to be larger by clicking and dragging the lower-right corner of the window. You can also change the display size with the Displays app. Click on the top-left “Activities”, type Displays, click on the Displays app. Under Resolution, select the resolution, Apply, Keep changes.
When prompted, install updates because you want to be working with the latest software. Enter your password and if prompted, restart the system.
Step 2: Configure the Ansible server
Now you want to further update and patch, and install some basic tools, python and Ansible on this system.
Log into the Ansible Server console in VirtualBox and launch a terminal window.
Click Activities, then type the word “Terminal” and the Terminal app will be listed. Click on that icon.
Run the following commands from the Terminal “$” prompt. When you run the first sudo command you will be prompted for your password.
sudo apt update
sudo apt upgrade -y
sudo apt install openssh-server -y
sudo apt install net-tools -y
sudo apt install sshpass -y
sudo apt install tree -y
sudo apt install python python-pip python-setuptools -y
sudo apt install ansible -y
At this point you can use SSH to connect to the Ansible Server.
Run the ifconfig command to determine the IPv4 address of the virtual server, and use your favorite SSH utility to connect to that IP address using your username and password.
This should log you into the system and you should be in the /home/username directory.
Now create an ansible directory and place your configuration inside.
Type
mkdir ansible
Change into that directory
cd ansible
Create the ansible configuration file with the name ansible.cfg using the nano editor
nano ansible.cfg
The contents of the file should look like this:
[defaults]
hostfile = ./myrouters
host_key_checking=False
timeout = 5
Now create a manual inventory file of your routers.
Create a subdirectory called myrouters
mkdir myrouters
Change into that directory
cd myrouters
Create a file called routers with the nano editor
nano routers
The contents of the file should look like this:
all:
children:
myrouters:
hosts:
router1:
ansible_host: 192.168.101.250
ansible_user: cisco
router2:
ansible_host: 192.168.101.251
ansible_user: cisco
Note: This file uses YAML syntax so the blank spaces at the beginning of each line in the nested hierarchy of settings are very important.
Substitute the IP addresses of your test routers into this configuration file. In this example, the username/password of the routers is cisco/cisco. Obviously, that’s not the most secure choice, but you can customize it for your username.
Note: You won’t want to test this technique on your production devices. Select a router in your lab first to gain familiarity with how Ansible works before deploying any configuration commands into production. Also, change windows help prevent a “resume generating event”.
Now create a file to hold the passwords for each router.
Move up one working directory
cd ..
Create a directory to hold the passwords
mkdir host_vars
Change into that directory
cd host_vars
Create a file for the IP address and password for router1
nano router1
The contents of the file should look like this:
---
ansible_ssh_host: 192.168.1.250
ansible_ssh_pass: cisco
Create a file for the IP address and password for router2
nano router2
The contents of the file should look like this:
---
ansible_ssh_host: 192.168.1.251
ansible_ssh_pass: cisco
Configure the ~/ansible/myrouters/routers file and the ~/ansible/host_vars/ files based on the routers, IP addresses, usernames and passwords of the routers you are testing with.
You can use the tree command to see the files you have created and which directory they are in.
tree
.
├── ansible.cfg
├── host_vars
│ ├── router1
│ └── router2
└── myrouters
└── routers
2 directories, 4 files
Return to the base ansible directory, move up one working directory
cd ..
Now you are ready to test using ansible to run a command on router1.
ansible router1 -u cisco -m raw -a "ping 192.168.1.1"
You should have observed the ansible program running and the “Router1 | SUCCESS | rc=0 >>” output along with the results of the ping command.
Test out using ansible to run a command on router2.
ansible router2 -u cisco -m raw -a "ping 192.168.1.1"
You should see the same successful output on the second router.
Now test if you can use ansible to communicate to both routers together using the group name “myrouters”.
ansible myrouters -u cisco -m raw -a "ping 192.168.1.1"
This should have succeeded, and you can observe the output from both routers.
You can use this same ansible method to run another command on router1.
ansible router1 -m raw -a "show clock" -c ssh
Use ansible to run another command on router2.
ansible router2 -m raw -a "show clock" -c ssh
Now run the “show running-configuration” command on both routers “myrouters”.
ansible myrouters -m raw -a "show run" -c ssh
Step 3: Create an Ansible playbook
The next step is creating an Ansible playbook to configure network time protocol (NTP)to use a time server located at NIST in Boulder Colorado. This playbook uses the built-in ios_config module to make a configuration change to an IOS router.
Now create a playbook YAML file in the /home/username/ansible/ directory using the nano editor
nano ntp_playbook.yml
The contents of the file should look like this:
---
- name: NTP Playbook
hosts: myrouters
connection: local
gather_facts: false
remote_user: cisco
tasks:
- name: Configure NTP
ios_config:
lines:
- ntp server 132.163.96.4
register: ntp_result
Note: Again, this is a YAML formatted file so pay attention to the blank spaces before each line. You should be able to just copy/paste this file from here into your SSH session.
Now run this playbook:
ansible-playbook ntp_playbook.yml
and it will make this NTP configuration change to both routers. You should observe output showing that the configuration change was successfully made to both routers.
You can run another ansible command on both routers to verify that NTP was successfully configured:
ansible myrouters -m raw -a "show ntp associations" -c ssh
You should observe that the NTP configuration worked, and NTP associations are formed from your routers to the NIST time server.
You now have a simple Ansible virtual server that is capable of automated configuration management on Cisco IOS routers.
Next Steps:
Obviously, this just scratches the surface of what could be done with Ansible and network devices. To evolve this Ansible virtual server into a fully functional CM system:
- Continually run this playbook to make sure that the NTP server settings on our routers are the way we want them per the script
- Improve the storage of the passwords by using SSH private keys
- Expand this deployment to additional routers
- Build out more complicated configuration commands using Jinja2 templates.
- Utilize other Ansible Cisco IOS modules such as ios_command, ios_interface or ios_system.
- Expand to use Ansible with other network vendors. There are Ansible modules for many different network vendors.
- Integrate network playbooks into the other Ansible playbooks that the DevOps, server administrators and security administrators might be using when they deploy new applications.
- Utilize the same Ansible framework to provision application infrastructure from networking, system, operating system, to application layers. This is a critical capability to build a PaaS or SaaS offering on a multi-tenant infrastructure.
Useful Resources
Here are some links to resources that could assist you on your network programmability journey. You can take what you have just learned and deepen your knowledge of network programmability and Ansible configuration management through these other sources.
- Network Programmability and Automation, by Scott Lowe, Jason Edelman, Matt Oswalt
- Network Automation with Ansible, by Jason Edelman
- toCode(), Jason Edelman’s company
- Programming and Automating Cisco Networks, by Ryan Tischer, Jason Gooley
- YouTube Videos by Colin McCarthy and Colin’s GitHub site
- Cisco DevNet Learn network programmability basics video class by Hank Preston
- Programmability and Automation with Cisco Open NX-OS, by Cisco
- Python for Network Engineers (PyNet), by Kirk Byers and Kirk’s GitHub page
(Scott Hogg is a co-founder of HexaBuild.io, an IPv6 consulting and training firm, and has over 25 years of cloud, networking and security experience.)