NETWORK AUTOMATION WORKSHOP

Introduction to Ansible for network engineers and operators

Housekeeping

● Timing
● Breaks
● Takeaways
What You Will Learn
Ansible is capable of handling many powerful automation tasks with the flexibility to adapt to
many environments and workflows.

● What is Ansible, its common use cases

● How Ansible works and terminology
● Network modules
○ Backup and Restore network devices
○ Self documenting networks
● Using roles
● Ansible Tower
MANAGING NETWORKS
HASN’T CHANGED
IN 30 YEARS.
According to Gartner

Source: Gartner, Look Beyond Network Vendors for Network Innovation. January 2018. Gartner ID: G00349636. (n=64)
Automation considerations

● Compute is no longer the slowest link in the chain

● Businesses demand that networks deliver at the speed of cloud
● Automation of repeatable tasks
● Bridge silos
WHAT IS ANSIBLE AUTOMATION?

Ansible Automation is the enterprise

framework for automating across IT
operations.
RED HAT ANSIBLE TOWER
Operationalize your automation
Ansible Engine runs Ansible
Playbooks, the automation language CONTROL DELEGATION SCALE

that can perfectly describe an IT

application infrastructure. RED HAT ANSIBLE ENGINE
Simple command line automation
Ansible Tower allows you scale IT
automation, manage complex SIMPLE POWERFUL AGENTLESS

deployments and speed productivity.

FUELED BY AN INNOVATIVE OPEN SOURCE COMMUNITY

 WHY ANSIBLE?

SIMPLE POWERFUL AGENTLESS

Human readable automation App deployment Agentless architecture

No special coding skills needed Configuration management Uses OpenSSH & WinRM

Tasks executed in order Workflow orchestration No agents to exploit or update

Usable by every team Network automation Get started immediately

Get productive quickly Orchestrate the app lifecycle More efficient & more secure
 MANAGE YOUR ENTIRE ENTERPRISE

SYS/CLOUD ADMIN
SERVERS

NET OPS
NETWORKING

STORAGE
ADMINS STORAGE
 ANSIBLE NETWORK AUTOMATION

50 700+ 12 *
Network Network Galaxy
Platforms Modules Network Roles

ansible.com/networking
galaxy.ansible.com/ansible-network

Ansible Network modules comprise 1/3 of all modules that ship with Ansible Engine
Common use cases
● Backup and restore device configurations
● Upgrade network device OS
● Ensure configuration compliance
● Apply patches to address CVE
● Generate dynamic documentation
● Discrete Tasks
○ Ensure VLANs are present/absent
○ Enable/Disable netflow on WAN interfaces
○ Manage firewall access list entries

Basically anything an operator can do manually, Ansible can automate.

 How Ansible Works
Module code is
executed locally NETWORKING
on the control
node
DEVICES

Module code is
copied to the
managed node,
LINUX/WINDOWS
executed, then HOSTS
removed
 PUBLIC / PRIVATE
CLOUD PUBLIC / PRIVATE
CMDB CLOUD

ANSIBLE AUTOMATION ENGINE

USERS

HOSTS
INVENTORY CLI

MODULES PLUGINS
NETWORK
ANSIBLE DEVICES
PLAYBOOK
 PUBLIC / PRIVATE
CLOUD PUBLIC / PRIVATE
CLOUD
CMDB

ANSIBLE AUTOMATION ENGINE

PLAYBOOKS ARE WRITTEN IN YAML

USERS
Tasks are executed sequentially
Invoke Ansible modules
HOSTS
INVENTORY CLI

MODULES PLUGINS
NETWORK
ANSIBLE DEVICES
PLAYBOOK
 PUBLIC / PRIVATE
CLOUD PUBLIC / PRIVATE
CLOUD
CMDB

ANSIBLE AUTOMATION
MODULESENGINE
ARE “TOOLS IN THE TOOLKIT”
Python, Powershell, or any language
Extend Ansible simplicity to the entire stack
USERS

HOSTS
INVENTORY CLI

MODULES PLUGINS
NETWORK
ANSIBLE DEVICES
PLAYBOOK

CORE NETWORK COMMUNITY

 PUBLIC / PRIVATE
CLOUD PUBLIC / PRIVATE
CLOUD
CMDB
INVENTORY

[web]
ANSIBLE AUTOMATION ENGINE
webserver1.example.com
webserver2.example.com

USERS [db]
dbserver1.example.com
HOSTS
INVENTORY CLI
[switches]
leaf01.internal.com
leaf02.internal.com
MODULES PLUGINS
[firewalls] NETWORK
DEVICES
ANSIBLE checkpoint01.internal.com
PLAYBOOK

[lb]
f5-01.internal.com
Understanding Inventory

10.1.1.2
10.1.1.3
172.16.1.1
172.16.1.2
192.168.1.2
192.168.1.3
 Understanding Inventory - Groups
There is always a group called "all" by default Groups can be nested
Inventory - variables
Group variables apply for all devices
in that group

Host variables apply to the host and

override group vars
A Sample Playbook
● Playbook is a list of plays.
● Each play is a list of tasks.
● Tasks invoke modules.
● A playbook can contain more
than one play.
Exercise 1.0
Exploring the lab environment
In this lab you will explore the lab environment and build familiarity with
the lab inventory.

Approximate time: 10 mins

Playbook definition for network automation

● Target play execution using hosts

● Define the connection : network_cli
● About gather_facts
Running a playbook
Displaying output
Use the optional verbose flag during playbook execution

Increase the level of verbosity by adding more "v's" -vvvv

Limiting Playbook execution
Playbook execution can be limited to a subset of devices using the --limit flag.

$ ansible-playbook gather_ios_data.yml -v --limit rtr1

Forget a flag / option ?

Just type ansible-playbook then press enter
A note about variables
Other than the user defined variables, Ansible supports many inbuilt variables. For example:

Variable Explanation

ansible_* Output of fact gathering

inventory_hostname magic inbuilt variable that is the name of

the host as defined in inventory

hostvars magic inbuilt variable dictionary variable

whose key is inventory_hostname
e.g.
hostvars[webserver1].my_variabl
e
Displaying output - The “debug” module

The debug module is used like a "print" statement in most

programming languages. Variables are accessed using "{{ }}" -
quoted curly braces
Exercise 1.1
Writing your first playbook
In this lab you will write your first playbook and run it to gather facts from
routers. You will also practice the use of "verbose" and "limit" flags in
addition to working with variables within a playbook.

Approximate time: 10 mins

Modules
Modules do the actual work in Ansible, they are what gets executed in
each playbook task.

● Typically written in Python (but not limited to it)

● Modules can be idempotent
● Modules take user input in the form of parameters
Network modules
Ansible modules for network automation typically references the vendor OS followed by the
module name.
Arista EOS = eos_*
● *_facts Cisco IOS/IOS-XE = ios_*
● *_command
Cisco NX-OS = nxos_*
● *_config
Cisco IOS-XR = iosxr_*
More modules depending on
platform F5 BIG-IP = bigip_*
F5 BIG-IQ = bigiq_*
Juniper Junos = junos_*
VyOS = vyos_*
Modules per network platform
Modules Documentation
https://docs.ansible.com/
Modules Documentation
Documentation right on the command line
 Limiting tasks within a play
● Tags allow the user to selectively execute tasks within a play.
● Multiple tags can be associated with a given task.
● Tags can also be applied to entire plays or roles.

- name: DISPLAY THE COMMAND OUTPUT

debug:
var: show_output
tags: show

Tags are invoked using the --tags flag while running the playbook

[user@ansible]$ ansible-playbook gather_ios_data.yml --tags=show

This is useful while working with large playbooks, when you might
want to "jump" to a specific task.
 Limiting tasks within a play - or skip them!
● --skip-tags allows you to skip everything

- name: DISPLAY THE COMMAND OUTPUT

debug:
var: show_output
tags: show

[user@ansible]$ ansible-playbook gather_ios_data.yml --skip-tags=show

Registering the output
The register parameter is used to collect the output of a task execution. The output of the
task is 'registered' in a variable which can then be used for subsequent tasks.
Exercise 1.2
Module documentation,
Registering output & tags
In this lab you will learn how to use module documentation. You will also
learn how to selectively run tasks using tags and learn how to collect task
output into user defined variables within the playbook.

Approximate time: 15 mins

The *_config module
Vendor specific config modules allow the user to update the configuration on network
devices. Different ways to invoke the *_config module:
Validating changes before they are applied
Ansible lets you validate the impact of the proposed configuration using the --check flag.
Used together with the --verbose flag, it lets you see the actual change being pushed to the
device:
Exercise 2.0
Updating the router configurations
In this lab you will learn how to make configuration changes using Ansible. The exercise will
demonstrate the idempotency of the module. Additionally you will learn how to validate a change
before actually applying it to the devices.

Approximate time: 20 mins

Scenario: Day 2 Ops - Backing up and
restoring router configuration
Backing up router configuration
The backup parameter of the ios_config module triggers the backup and automatically
stores device configuration backups within a backups directory
Cleaning up the backed up configuration
The backed up configuration has 2 lines that should be removed:

The lineinfile module is a general purpose module that is used for manipulating file
contents.
Cleaning up (cont’d)
Cleaning up an exact line match:
Cleaning up (cont’d)
Matching using a regular expression:
Restoring the configuration
If any out of band changes were made to the device and it needs to be
restored to the last known good configuration, we could take the
following approach:
● Copy over the cleaned up configuration to the devices
● Use vendor provided commands to restore the device
configuration

*In our example we use the Cisco IOS command config replace. This
allows for applying only the differences between running and the
copied configuration
Restoring (cont’d)

Note the use of inventory_hostname to effect host specific changes

Exercise 2.1 & 2.2
Backup & Restore router configuration
In this lab you will implement a typical Day 2 Ops scenario of backing up and restoring device
configurations.

Approximate time: 20 mins

Scenario: Creating living/dynamic
documentation
Templates
● Ansible has native integration with the Jinja2 templating engine
● Render data models into device configurations
● Render device output into dynamic documentation

Jinja2 enables the user to manipulate variables, apply conditional logic

and extend programmability for network automation.
Using templates to generate configuration
Using templates to build dynamic
documentation
- Generate
documentation that
never goes stale

- Build troubleshooting
reports

- Same data to generate

exec reports and
engineering reports
using different templates
Assembling the data
The assemble module is used to generate a consolidated file by combining fragments. This
is a common strategy used to put snippets together into a final document.
Exercise 3.0
An introduction to templating
In this lab you will use a basic Jinja2 template to generate a markdown report that contains the
device name, serial number and operating system version. You will create a report per device and
then use the assemble module to consolidate them.

Approximate time: 15 mins

A quick introduction to roles
The 2 basic files required to get started with Ansible are:
● Inventory
● Playbook
 Roles
Roles are Playbooks

● Roles help simplify playbooks.

● Think of them as callable functions for repeated tasks.
● Roles can be distributed/shared; similar to libraries.
Example Playbook Directory Structure

# site.yml site.yml
--- roles/
- hosts: DC ntp/
roles: tasks/
- ntp main.yml
- vlan vlan/
tasks/
main.yml
 Roles - really simple, but powerful
# site.yml ntp/
--- tasks/ - name: CONFIGURE NTP
- hosts: routers main.yml ios_config:
roles: vlan/
- ntp tasks/ lines: ntp server 1.2.3.4
- vlan main.yml

- name: CONFIGURE VLAN

ios_vlan:
vlan_id: 100
 Ansible Galaxy
http://galaxy.ansible.com

● Ansible Galaxy is a
hub for finding,
reusing and sharing
Ansible roles.

● Jump-start your
automation project
with content
contributed and
reviewed by the
Ansible community.
Using parsers to generate custom reports
On most network devices, show command output is "pretty" formatted but not structured.
The Ansible network-engine role provides support for 2 text parsing engines:
● TextFSM
● Command Parser
Structured data from show commands
Exercise 3.1
Building dynamic documentation using the
command parser
The objective of this lab is to generate a dynamic documentation from the output of a device show
command.

Approximate time: 20 mins

AUTOMATION ACROSS
THE ENTERPRISE
WHAT IS ANSIBLE TOWER?
Ansible Tower is a UI and RESTful API allowing
you to scale IT automation, manage complex
deployments and speed productivity.

• Role-based access control

• Deploy entire applications with

push-button deployment access

• All automations are centrally logged

• Powerful workflows match your IT processes

RBAC PUSH BUTTON RESTful API
Allow restricting playbook access to An intuitive user interface experience With an API first mentality every
authorized users. One team can use makes it easy for novice users to feature and function of Tower can be
playbooks in check mode (read-only) execute playbooks you allow them API driven. Allow seamless integration
while others have full administrative access to. with other tools like ServiceNow and
abilities. Infoblox.

WORKFLOWS ENTERPRISE INTEGRATIONS CENTRALIZED LOGGING

Ansible Tower’s multi-playbook Integrate with enterprise All automation activity is securely
workflows chain any number of authentication like TACACS+, RADIUS, logged. Who ran it, how they
playbooks, regardless of whether they Azure AD. Setup token authentication customized it, what it did, where it
use different inventories, run as with OAuth 2. Setup notifications with happened - all securely stored and
different users, run at once or utilize PagerDuty, Slack and Twilio. viewable later, or exported through
different credentials. Ansible Tower’s API.
 Extending Ansible to the Enterprise

Individual Teams Enterprise

Individual Windows Team Virtual project or Network Team

Windows Team Network Team automation Team

Playbooks Playbooks Playbooks Playbooks

ENGINE
Playbooks

WORKFLOW

Network
device

Network
device
Network
device
65
Next Steps
Thanks so much for joining the class. Here are some next steps on how to
get more information and join the community!
 Bookmark the GitHub Project
https://www.github.com/network-automation

● Examples, samples
and demos

● Run network
topologies right on
your laptop
Chat with us
Engage with the community

● Slack
https://ansiblenetwork.slack.com
Join by clicking here https://bit.ly/2OfNEBr

● IRC
#ansible-network on freenode
http://webchat.freenode.net/?channels=ansible-network
Next Steps
● It's easy to get started
https://ansible.com/get-started

● Do it again
https://github.com/network-automation/linklight
https://network-automation.github.io/linklight/

● Instructor Led Classes

Class DO457: Ansible for Network Automation
https://red.ht/2MiAgvA
NEXT STEPS

GET STARTED JOIN THE COMMUNITY

ansible.com/get-started ansible.com/community

ansible.com/tower-trial

WORKSHOPS & TRAINING SHARE YOUR STORY

ansible.com/workshops Follow us @Ansible

Red Hat Training Friend us on Facebook