Jason Edelman's Blog
  • Home
  • About
  • Contact

DEMO: Using Ansible for Network Automation

5/18/2014

28 Comments

 
There is so much discussion on if network engineers need to be programmers that I was almost getting pissed off last week.  It was an odd and funny feeling.  Anyway, I've written in the past here and here about the use of Ansible for networking.  In this post and video, the goal is to show why network engineers don’t need to be "hardcore programmers."
Below is a short demo of using Ansible to automate basic network configuration tasks on Cisco routers.  As more Ansible modules come out (or any other tool that does the job), we will quickly realize, the network engineer doesn’t need to be a “hardcore programmer,” but rather understand the tool and articulate the requirements such that new modules can easily be added by others.  If the tools we’ll have in the future are “platforms” that can be customized by the consumer/customer meaning the vendor isn’t required to add more functionality, then that’ll pretty awesome for both the network engineer and the business.  It’s a win win.

FYI- the modules being demo’d are leveraging Cisco’s onePK as the API to connect to and make changes to the routers.

Hope you enjoy.  As always, any feedback, good, bad, or indifferent, is welcomed in the comments section or via the Contact page.

And if you think you can benefit by using modules as shown in the video, please let me know.  I’d like to hear more about the use cases that will truly benefit the real users out there.
Thanks for reading.

-Jason

Twitter: @jedelman8

28 Comments
Michael
5/18/2014 01:23:11 pm

Hi Jason,
how does OpenPK integrate with ansible?
Also, do you know if ansible supports any sort of templating language? One good use, at least for me, would be to build configurations for devices based on stadard templates. Say, we have a customer with 3 standard different-sized sites. Each one has it's own configuration pecularities. The cool thing would be to feed ansible( or any other system) the subnet allocated to the new site, hostname, some other variable details and get a full configuration ready for copy-pasting into the router.

Reply
Jason Edelman link
5/18/2014 02:30:37 pm

Hi Michael,

Good question. I used onePK in my last Ansible post too when I showed network test automation. Be sure to take a look. Ansible modules are pieces of Python code. In that code, you can do whatever you want, i.e. use other libraries such as onePK to connect to a device :).

Regarding templating, you should check out my first post on Ansible titled "Ansible For Networking." It gives the high level on how Ansible supports Jinja2 for templating. I've built out a simulation for branch offices, just haven't posted the code or video for that one, but that is a GREAT use case!

Are you focused on automating just the initial build of the configurations or that plus deployment and on going changes?

-Jason

Reply
Michael
5/18/2014 05:18:13 pm

I guess my question was more about the onepk library. Does it come with ansible? I get it it takes quite a bit of integration work to make 3rd party library to work with ansible, isn't it?

Now I realise that it was your blog I read about jinja. Guess i'm getting too old. :)

In my line of work I deal mostly with initial conifgurations. But it's quite easy to imagine the use for this kind of automation when rolling out a change to multitude of devices.

Jason Edelman link
5/19/2014 01:40:59 am

My blog platform isn't the best, so I need to respond up here to answer your question below.

No. onePK doesn't come with Ansible. If you were interested checking out a live demo, we can set something up 1:1 if you'd like. Just let me know via the contact page and that'll email me.

Richard
5/19/2014 05:05:28 am

I am old fashion of IOS cli and snmp user.

what is benefit of using ansible instead of CLI or SNMP? are we reinvent wheel here?

Reply
Jason Edelman link
5/19/2014 03:24:16 pm

Hi Richard,

Can you be more specific with exactly what you are comparing? Please post commands and code if you can too so we can make sure we are comparing apples to apples.

Thanks,
Jason

Reply
Dwight A. Spencer link
2/6/2015 09:12:18 am

Three words "Test Driven Automation".

While SNMP is good for monitoring and device configuration but does not allow for unit testing, only sampling. Ansible would interface with the device to execute commands via Cisco IOS cli tools.

The benefit comes in when one creates Ansible playbooks for different configuration states, and routine tasks. From there any changes needed to be applied (whether doing provisioning or filling change requests on new devices) can be applied across the inventory with one tool.

Additional benefits come from applying DevOps methodologies (UnitTests, Code Reviews, Peer Documented Projects, etc...) within the network management team and this is where Ansible plays a strong role as well.

Reply
andyhky link
5/19/2014 11:13:31 pm

Enjoyed the video - would love to see more!

We use ansible to configure our edge devices, including discovery of the node's switch/port from lldp.

http://docs.ansible.com/lldp_module.html

Reply
Jason Edelman link
5/20/2014 01:52:06 am

Hi Andy, thanks for sharing!

What types of switches are you using (that are giving you access to bash natively via SSH) ? Or are you using device specific APIs to make changes as well?

Are the modules you use for configuration public or are they custom for your environment?

Thanks,
Jason

Reply
andyhky link
5/20/2014 01:57:39 am

We're only using ansible to configure the edge devices (hypervisors) at the moment... other relevant data, e.g., allowed VLANs is pulled from the switches via SNMP.

We've open sourced some of the building blocks, like the lldp module, but the entire configuration is not open source.

Mike Aossey link
6/1/2014 09:29:58 am

Great stuff Jason! Thank you for spending the time to create and share it!

Reply
Jason Edelman link
6/2/2014 02:06:04 am

Not a problem! Glad you found it valuable!

Reply
Jonas Stenling
7/9/2014 01:48:59 am

Great stuff!

A couple of questions:

Why have you chosen to implement separate modules to do the specific tasks and not use a common "config module"?

Have you published the modules somewhere?

Reply
Jason Edelman link
7/9/2014 04:38:52 am

Jonas,

Thanks for the comment. It's an interesting question - I actually started down the monolithic config module first. The "config" module was becoming massive. The bigger the module (in terms of code), the harder to maintain. So, maintainability in addition to modularization was key for me. After making this decision, I was able to very quickly build and deploy new very small modules without worrying about breaking others.

This is also nice because the output of a module (in the future) may dictate a change in another module (think register module in Ansible). Having them be small in nature helps here too.

In any case, as I also looked at Ansible core modules, each is very precise and specific with a task/goal in mind. Ansible doesn't have an "Ubuntu" or "RHEL" config module where you configure services, packages, etc. They are broken down by services and tasks.

To your second question, the modules aren't published publicly. I'm thinking about it :). The code isn't very clean yet, but if you wanted to chat live, I'd be more than happy to, plus I'd love to hear more of your thoughts.

Reply
Frank Castillo
8/4/2014 09:12:44 am

Jason,

Really enjoyed the video and I have to say that I am excited about the possibilities.

I would very much would like to take a look at the modules, irrelevant of the cleanliness of the code.

Jose Luis Gonzalez
9/9/2014 05:47:23 pm

Hi Jason,
I really loved your post. It helped me getting started with Ansible. Currently my role is a Network Engineer is network design, and implementation with Cisco equipment specifically. This involves creating initial configuration templates and cookbooks for pilot sites that will be deployed massively on a given customer.

Some times my role also involves doing small configuration changes with several devices.

Having said that, the first practical use that I see is initial configuration deployment and second use case is massive deployment of simple tasks.

I have browsed several sites and also checked your videos but I see that the Cisco examples are onePK based.

Is it possible to push the configuration to a regular Cisco device without using onePK?

I haven´t seen a good example yet. Hope you can help me as this will boost my productivity with my current projects =).

Thanks in advance.

Reply
Patrick Galbraith link
10/23/2014 04:51:00 am

Jason,

Great presentation! I just recently wrote some modules for comware-5.2-based switches that was quite the learning experience. The biggest thing that threw me off was that there was no way to use inventory_hostname, because as soon as I did, ansible would connect to that IP and attempt to run the tempdir creation and several other commands that would obviously fail (since comware doesn't have these commands - ie "mkdir -p $HOME/.ansible/tmp/ansible-tmp-12345xxx"). How did you get around this? Does you switch have mkdir, chmod and other commands so that that first step succeeds?

I have a blog post about mine if your are curious as well as have any suggestions: http://patg.net/ansible,comware,switches/2014/10/16/ansible-comware/

BTW - where in Jersey are you? I have relatives down there and went to high school down there and the accent brings back memories :)

Reply
Jason Edelman link
10/23/2014 05:48:59 am

Hi Patrick, nice work on the modules! I took a quick look at your post and assuming you are making the SSH connection (paramiko) IN your module (using your library), you should add "connection: local" at the top of the playbook. Meaning you aren't relying on Ansible to make the connection.

All of my playbooks always start with this:

---

- name: [arbitrary name...]
hosts: [group_name from hosts file]
connection: local
gather_facts: no

This way, Ansible does not attempt to connect to the device. In my example modules I'm using APIs to talk to the devices, but it's no different if you are using Paramiko.

Let me know if adding connection: local helps at all!

I'm from North Jersey...now closer to NYC, but still in Jersey!

Reply
Adeel
10/28/2014 02:25:00 am

Hi Jason ,

I saw your posts its is very very informative and helpful .
Im a student of Electronic and have a project ''To automate cisco switches using Configuration management tool''
So i want to use Ansible to automate and configure my Cisco switch.I have normal 3750X Cisco switch .what will be the procedure?
can you help me out in this matter.

Thank you

Best Regards,
Adeel

Reply
Rob Phoenix
10/29/2014 06:10:51 am

Great video Jason, and I have just listened to the podcast you did with the Class-C Block, really interesting and informative!

I've just started my first job in networking, in a big VAR, and got my CCNA, this week. Part of my role is to implement 'repeatable design' ie. automation of network tasks in a Cisco environment, mainly building configs and creating inventories of routers/switches SN's etc. My colleagues have started this using Powershell & Excel, which feels pretty clunky, and so I'm exploring Ansible as an alternative.
I'm deep in reading up about this and have Ansible working on a Linux VM, pinging 127.0.0.1, but am getting confused about connecting up to the Cisco router; how to set up SSH/Netconf and whatever other requirements are needed on the router. I'm not sure how to sort this out. I think I understand playbooks and should be able to write those once I have my connections up, if that makes sense.
Anyway, I just wondered if you might be able to point me in the right direction? I've learnt a lot from Kirk Byers stuff, and Matt Oswalt's as well as your own blog/vids, but most everything I've found just assumes the connection between Ansible and the remote device, maybe I'm just missing the obvious??
Again, really interesting stuff, thanks for the effort you're making to help folk like me.
Best,
Rob

Reply
Rob Phoenix
10/29/2014 08:19:08 am

Ah jeez, I've just realised it was Jeremy Schulman on the Class-C block podcast, sorry, I've had my head buried deep in powershell forums all day and only just come up for air!

Reply
Rob Phoenix
10/30/2014 09:55:58 am

I realise I'm talking to myself here, but after spending all day trying to beat a powershell/excel script into shape at work I'm very excited to have come home and established an ansible ssh connection between my ansible VM and a Cisco router, I can move onto modules and playbooks now. This is awesome!

Jason Edelman link
10/30/2014 10:12:31 am

Hey Rob,

You aren't talking to yourself! I apologize for the delay in responding. That's awesome news.

On a side note, I would get what you want to do working in Python + the Cisco router. You would likely use some form of expect script, paramiko, etc., unless of course you are a modern Cisco device that supports onePK or NX-API.

And once you have your script in Python working, it becomes MUCH easier to port over to Ansible.

Once you get a basic script working (no Ansible yet), I'd love to take a look and test against some old switches I have too. I honestly have been trying to work with paramiko, but haven't had the time.

Let me know and we can set some time to chat live.

Reply
Rob Phoenix link
10/31/2014 09:09:43 am

No worries Jason, I was just aware I was commenting on my own comments, like a crazy person.

Thanks for the advice, I've just started learning Python (my first programming language), and will have a look at Paramiko. Like I said before I'm still understanding precisely how the script communicates with the router/switch, I assume I run it on a host computer, or should I be running it straight on the Cisco machine? I'll work it out with some more reading and practice.

I'll let you know if I have any success, and if I may, ask advice if I run head first into a brick wall!

Be grand to chat live sometime after I return from holiday.

Jason Edelman link
11/1/2014 03:33:12 am

My blog platform doesn't allow for that many "responding" comments, so this is in your response from the below one.

You would install Python on your windows machine, use it natively on your Apple machine, or a Linux box. Totally up to you. I use a dedicated ubuntu vm for my development fwiw.

It could be good to get this going in the dynamic Python interpreter (shell) first. Just type "python" at a terminal prompt and it drops you into the Python shell. So, you would run Python locally on your working dev machine and it would connect remotely to the Cisco device. Once you have it working in the shell/interpreter, create a script.

Ansible runs on Linux hosts (I use my same Ubuntu machine). Others use Apple machines, but once you have your script working, you can then port it over to Ansible and then Ansible will connect to your device as defined in your script. The benefit is leveraging the Ansible "framework."

HTH.

Jonathan link
1/22/2015 11:23:15 pm

Hi,

This is excellent. We @ansible would love to see this more readily available to the community (via Galaxy since it is vendor specific). If you feel you need to do some polishing, feel free to give me a shout and we can do some collabo via GitHub prior to making it public.

You can see here that Arista did something similar. https://github.com/arista-eosplus/ansible-eos

Reply
Jason Edelman link
1/25/2015 11:09:50 pm

Thanks. I definitely need to clean them up before pushing to galaxy. Actually working on a few other things that should end up in galaxy too, so it's all good :). That said, I do wish Ansible took a more active role with the network community!

Reply
Gerard
1/31/2015 03:16:25 am

Any additional info that you can share on the integration of onepk would be greatly appreciated. Just starting to get in to automation and its very powerful. I'm using csr1000v' in my lab which should work perfectly with onepk

Reply



Leave a Reply.

    Author

    Jason Edelman, Founder & CTO of Network to Code. 

    Enter your email address:

    Delivered by FeedBurner

    RSS Feed

    Categories

    All
    1cloudroad
    2011
    2960
    40gbe
    7000
    Arista
    Aruba
    Big Switch
    Brocade
    Capwap
    Christmas
    Cisco
    Controller
    Data Center
    Dell Force10
    Embrane
    Extreme
    Fex
    Hadoop
    Hp
    Ibm
    Isr G2
    Juniper
    Limited Lifetime Warranty
    Meraki
    Multicast
    N7k
    Nexus
    Nicira
    Ons
    Opendaylight
    Openflow
    Openstack
    Presidio
    Qsfp
    Quick Facts
    Routeflow
    Sdn
    Sdn Ecosystem
    Security
    Ucs

    Archives

    May 2015
    April 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    June 2014
    May 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011

    View my profile on LinkedIn
Photo used under Creative Commons from NASA Goddard Photo and Video