DevOps 2 - Start Ansible in Cisco

By Sheldon L

Published at 2020-06-15

Updated at 2020-06-15

---

Terms in Ansible

• Inventory: Defines the nodes that Ansible knows about and groups them so they can be referenced. The inventory also includes connection information and variables.
• Playbook: A file that contains a set of instructions to be executed.
• Play: Multiple plays can exist in a playbook, which allows the playbook to apply configuration to different nodes in different sections.
• Variables: You can use custom variables in your playbooks.
• Templates: You can use Python’s Jinja2 templates with your playbooks, which is really helpful for network administration.
• Tasks: An action the playbook applies, like installing Apache on a Linux box.
• Handlers: These are a lot like tasks, except they’re only called to an event like a service starting.
• Roles Allows: you to spread out playbooks across several folders to make the configurations more modular, scalable, and flexible.
• Modules: Built into Ansible, modules are files that describe how Ansible will achieve a given task. You can also write your own. Cisco has 69 modules in the current version of Ansible that cover everything from IOS to their UCS server platform.
• Facts: These are global variables that contain a ton of information about the system, including vital stats like the system’s IP address.

Python-based solution

Install

pip install ansible

## Modules:
ansible-doc -l | grep ^ios_
ansible-doc ios_vlan
# More: ios_command, ios_config, ios_facts...

Ansible components

• Settings

## Settings:
# By default Ansible will look for the settings file by checking the ANSIBLE_CONFIG variable
# If Ansible still doesn’t find a path, it’ll try your home directory
# and then finally /etc/ansible/
# To make things easier:
mkdir /etc/ansible/
nano /etc/ansible/ansible.cfg
"""
[defaults]

host_key_checking = False
"""
# Doing this makes your lab easier because Ansible won’t try to verify the target node’s SSH keys

• Host Inventory

## Inventory:
# tells Ansible which target nodes to connect to
# and gives it information on how it should make that connection
nano /etc/ansible/hosts
"""
[switch]
sw0[1:2].testlab.com
[router]
r0[1:2].testlab.com
[cisco:children]
switch
router
[cisco:vars]
ansible_connection=local
ansible_user=ansible
ansible_password=ansible
"""

• Playbook (See following)

Examples

Set Up a Lab

(X) R01 .254 -------- [=] SW01 .1 ======== [=] SW02 .1 -------- (X) R02 .254
        192.168.101.0/24            Trunk           192.168.102.0/24

! enable SSH and create a user for Ansible to use on all our Cisco devices
SW01(config)# aaa new-model
SW01(config)# aaa authentication login default local
SW01(config)# aaa authorization exec default local
SW01(config)# username ansible priv 15 secret ansible
SW01(config)# ip domain-name testlab.com
SW01(config)# crypto key generate rsa modulus 2048

SW01(config)# line vty 0 15
SW01(config-line)# transport input ssh
SW01(config-line)# do wr

Inventory

cat /etc/hosts
"""
127.0.0.1
localhost localhost.localdomain localhost4 localhost4.localdomain4
::1
localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.21.51
sw01.testlab.com
10.10.21.52
sw02.testlab.com
10.10.21.53
r01.testlab.com
10.10.21.54
r02.testlab.com
"""

Ad-Hoc

ansible localhost -m ping

  localhost | SUCCESS => {
  "changed": false,
  "ping": "pong"
  }

Playbook

• cisco.yml

---
######## All Switches ########
- name: Configure Switches
hosts: switch
gather_facts: no
tasks:
- name: Create VLANs
ios_vlan:
vlan_id: ""
name: "ANSIBLE-VLAN"
loop:
- 101
- 102
- 123
- name: Configure Trunk Port between SW01 and SW02
ios_l2_interface:
name: GigabitEthernet3/0
mode: trunk
- name: Enable IP Routing on Switches
ios_config:
lines: ip routing

######## All Devices########
- name: Configure All Devices
hosts: cisco
gather_facts: no
tasks:
- name: Enable OSPF on All Devices
ios_config:
lines:
- network 0.0.0.0 0.0.0.0 area 0
parents: router ospf 1

######## SW01 ############
- name: Configure SW01
hosts: sw01.testlab.com
gather_facts: no
tasks:
- name: Assign SW01 VLANs
ios_vlan:
vlan_id: 101
interfaces:
- GigabitEthernet0/1
- name: Create Vlan101 SVI
ios_l3_interface:
name: Vlan101
ipv4: 192.168.101.1/24
- name: Create Vlan123 SVI
ios_l3_interface:
name: Vlan123
ipv4: 192.168.123.1/24
- name: Enable SVIs
ios_interface:
name: ""
enabled: True
loop:
- Vlan101
- Vlan123

######## SW02 ############
- name: Configure SW02
hosts: sw02.testlab.com
gather_facts: no
tasks:
- name: Assign SW02 VLANs
ios_vlan:
vlan_id: 102
interfaces:
- GigabitEthernet0/1
- name: Create Vlan102 SVI
ios_l3_interface:
name: Vlan102
ipv4: 192.168.102.1/24
- name: Create Vlan123 SVI
ios_l3_interface:
name: Vlan123
ipv4: 192.168.123.2/24
- name: Enable SVIs
ios_interface:
name: ""
enabled: True
loop:
- Vlan102
- Vlan123

######## R01 ############
- name: Configure R01
hosts: r01.testlab.com
gather_facts: no
tasks:
- name: Create R01 G0/1
ios_l3_interface:
name: Gig0/1
ipv4: 192.168.101.254/24
- name: Enable G0/1
ios_interface:
name: Gig0/1
enabled: True
- name: Add Default Route
ios_static_route:
prefix: 0.0.0.0
mask: 0.0.0.0
next_hop: 192.168.101.1

######## R02 ############
- name: Configure R02
hosts: r02.testlab.com
gather_facts: no
tasks:
- name: Create R02 G0/1
ios_l3_interface:
name: Gig0/1
ipv4: 192.168.102.254/24
- name: Enable G0/1
ios_interface:
name: Gig0/1
enabled: True
- name: Add Default Route
ios_static_route:
prefix: 0.0.0.0
mask: 0.0.0.0
next_hop: 192.168.102.1
---

• Run

[root@rhel01 ~]# ansible-playbook cisco.yml
PLAY [Configure Switches]
...
TASK [Create VLANs]
...
TASK [Configure Trunk Port between SW01 and SW02]
...
...

Ansible Tower/AWX

• Ansible Tower: A paid version via Red Hat that adds central management to Ansible that improves security because you can control who can run playbooks through Role-Based Access Control (RBAC). Ansible Tower also provides a single point for integration with other tools. Red Hat offers a free version that supports 10 hosts if you want to try it.

• AWX: The upstream development version of Ansible Tower, that’s kind of like Fedora vs. Red Hat Enterprise Linux. You can use it for free, but there’s less reliability since there can be frequent changes with little testing. Be aware that there’s only limited support available.