Ansible: Playbooks

This section covers how to automate VLAN configuration on a Cisco switch using an Ansible playbook. Follow these steps to deploy a new VLAN swiftly and consistently across your infrastructure:

1. Define Your Inventory:
   Organize your target switches in your Ansible inventory file (e.g., hosts). Example:

   [switches]
   core-switch01 ansible_host=192.0.2.101
   edge-switch01 ansible_host=192.0.2.102
       

2. Create the VLAN Playbook:
   Write a YAML playbook to configure the VLAN. Example:

   ---
   - name: Configure VLAN on Cisco Switch
     hosts: switches
     gather_facts: no
     tasks:
       - name: Configure VLAN 10
         cisco.ios.ios_vlan:
           vlan_id: 10
           name: "Production"
           state: present
       

3. Check Collection Requirements:
   Ensure the Cisco IOS Ansible collection is installed.
   ansible-galaxy collection install cisco.ios
4. Provide Authentication:
   Store device credentials securely, preferably with Ansible Vault. Define variables in group_vars/switches.yml:

   ansible_connection: network_cli
   ansible_user: your_username
   ansible_password: your_password
   ansible_network_os: cisco.ios.ios
       

5. Run the Playbook:
   Use the following command on your control machine:

   ansible-playbook configure_vlan.yml -i hosts
       

This simple playbook enables rapid, repeatable VLAN deployment on one or many Cisco switches. You can adapt the VLAN ID, name, or add more tasks for additional configuration.

In this section, you'll learn how to deploy or update firewall rules (Access Control Lists - ACLs) on Cisco ASA appliances using Ansible. The workflow is designed to ensure efficient and repeatable firewall rule configuration.

1. Prepare Your Inventory:
   Define your Cisco ASA devices in the Ansible inventory file (e.g., hosts):

   [firewalls]
   asa01 ansible_host=203.0.113.10
   asa02 ansible_host=203.0.113.11
       

2. Add Secure Credentials:
   Store your authentication credentials securely (using group_vars/firewalls.yml, Ansible Vault, or environment variables):

   ansible_user: admin
   ansible_password: your_password
   ansible_connection: network_cli
   ansible_network_os: cisco.asa.asa
   ansible_authorize: yes
   ansible_auth_pass: your_enable_password
       

3. Install Required Collections:
   Make sure the Cisco ASA Ansible collection is installed:
   ansible-galaxy collection install cisco.asa
4. Create the Firewall Rule Playbook:
   Write a playbook to configure your access-lists. Here is an example to permit HTTPS traffic from 10.0.1.0/24 to 10.0.2.0/24:

   ---
   - name: Deploy Firewall Rule on Cisco ASA
     hosts: firewalls
     gather_facts: no
     tasks:
       - name: Permit HTTPS from 10.0.1.0/24 to 10.0.2.0/24
         cisco.asa.asa_acls:
           config:
             acls:
               - name: OUTSIDE_IN
                 acl_type: extended
                 aces:
                   - grant: permit
                     protocol: tcp
                     source:
                       address: 10.0.1.0
                       netmask: 255.255.255.0
                     destination:
                       address: 10.0.2.0
                       netmask: 255.255.255.0
                       port:
                         eq: 443
           state: merged
       

5. Deploy the Playbook:
   Run the playbook from your Ansible control node:

   ansible-playbook asa_firewall_rule.yml -i hosts
       

This playbook ensures your ACL policy is consistent and reproducible across all defined ASA firewalls. You can adapt the rules, source/destination parameters, and ACL names to suit your needs.

This section provides a step-by-step guide to automating the backup of network device configurations (such as Cisco or Arista devices) using Ansible playbooks. This automation ensures that you retain a reliable, versioned history of running configurations across your infrastructure.

1. Prepare Your Inventory and Variables:
   List your routers, switches, or firewalls in the Ansible inventory file (hosts), grouped as needed:

   [routers]
   router1 ansible_host=198.51.100.10
   router2 ansible_host=198.51.100.11
       

   Add secure access credentials and connection parameters for your devices in group_vars/routers.yml:

   ansible_user: admin
   ansible_password: your_password
   ansible_connection: network_cli
   ansible_network_os: cisco.ios.ios
   ansible_become: yes
   ansible_become_method: enable
   ansible_become_password: your_enable_password
       

2. Install Required Collections:
   For Cisco IOS, run:
   ansible-galaxy collection install cisco.ios
   For Arista EOS, run:
   ansible-galaxy collection install arista.eos
3. Create the Backup Playbook:
   Write your playbook (backup.yml) to back up configurations and save files locally with meaningful names:

   ---
   - name: Backup Network Device Configurations
     hosts: routers
     gather_facts: no
     tasks:
       - name: Backup running configuration
         cisco.ios.ios_config:
           backup: yes
           backup_options:
             filename: "{{ inventory_hostname }}_{{ ansible_host }}.cfg"
             dir_path: "./backups"
       

   Tweak the module and options based on your device platform (e.g., arista.eos.eos_config for Arista).

4. Run the Playbook:
   On your Ansible control node, execute:

   ansible-playbook backup.yml -i hosts
       

   All configurations will be saved in the ./backups directory, named with the hostname and IP for clarity.
5. Optional: Version Control Your Backups:
   For enhanced tracking and historical reference, use a Git repository to version control your configuration files.
   

   cd backups
   git init
   git add .
   git commit -m "Initial configuration backup"
       

   Automate git commits as part of your playbook if desired.

With this automation in place, you’ll ensure consistent, secure, and easily restorable backups of your critical network devices—supporting disaster recovery and facilitating audits.

This section illustrates how you can use Ansible to automatically check for compliance on network devices, such as verifying that secure protocols are correctly configured or key standards are enforced. The approach is easily customizable for a range of configuration compliance checks across your fleet.

1. Define Devices in Inventory:
   Prepare your Ansible inventory (hosts) listing the devices to check for compliance:

   [all_network_devices]
   core-router01 ansible_host=198.51.100.32
   edge-switch07 ansible_host=198.51.100.54
       

2. Set Access Variables Securely:
   Populate variables and credentials for your devices in group_vars/all_network_devices.yml or with Ansible Vault:

   ansible_user: admin
   ansible_password: your_password
   ansible_connection: network_cli
   ansible_network_os: cisco.ios.ios
       

3. Ensure Required Modules/Collections:
   Install collections relevant for compliance checks such as cisco.ios:
   ansible-galaxy collection install cisco.ios
4. Create the Compliance Playbook:
   Here is an example playbook (compliance_check.yml) to verify if SSH version 2 is enabled:

   ---
   - name: Check Network Device Compliance
     hosts: all_network_devices
     gather_facts: no
     tasks:
       - name: Show SSH version configuration
         cisco.ios.ios_command:
           commands:
             - show run | include ^ip ssh version
         register: ssh_version
       - name: Assert SSH version 2 is configured
         assert:
           that:
             - "'ip ssh version 2' in ssh_version.stdout[0]"
           fail_msg: "SSH version 2 is NOT enabled on {{ inventory_hostname }}"
           success_msg: "SSH version 2 is configured on {{ inventory_hostname }}"
       

   This pattern can be extended to check other policy requirements: correct NTP servers, SNMP communities, password standards, and more.

5. Run the Compliance Playbook:
   Execute your check from the control node:

   ansible-playbook compliance_check.yml -i hosts
       

   The results will indicate which devices pass or fail each compliance check.
6. Optional: Reporting or Remediation:
   For larger environments, you can:
   • Capture and aggregate non-compliance results (use register and Ansible debug or copy modules).
   • Trigger automated remediation tasks for failed checks within the same playbook.
   • Integrate with ticketing or alerting systems (like ServiceNow) by adding notification tasks.

Using this approach, you ensure your network devices consistently meet defined security and operational standards, and you can react quickly if any device falls out of compliance.

This section outlines how to streamline and automate the process of creating and managing user accounts on network devices or Linux hosts using an Ansible playbook. This approach ensures rapid, consistent, and secure user provisioning across large-scale infrastructure.

1. Declare Inventory Hosts:
   List the target devices or systems for user creation in your inventory file (hosts):

   [all_network_devices]
   switch01 ansible_host=192.0.2.21
   router01 ansible_host=192.0.2.22
       

   For Linux hosts, substitute host group and hostnames as needed.

2. Store Access Credentials Securely:
   Save your access variables securely in group_vars/all_network_devices.yml (use Ansible Vault for sensitive info):

   ansible_user: admin
   ansible_password: your_password
   ansible_connection: network_cli
   ansible_network_os: cisco.ios.ios
       

   For Linux hosts, use the appropriate ansible_connection and ansible_network_os values.

3. Install Required Collections:
   For Cisco IOS network devices:
   ansible-galaxy collection install cisco.ios
   For Linux hosts:
   ansible-galaxy collection install ansible.builtin
4. Define User Variables:
   Specify users to be provisioned; store in group_vars/all_network_devices.yml or a separate users.yml file:

   provisioned_users:
     - name: netadmin
       password: "{{ vault_admin_password }}"
       privilege: 15
     - name: auditops
       password: "{{ vault_audit_password }}"
       privilege: 5
       

   Passwords can be stored securely in Ansible Vault and referenced here.

5. Create the User Provisioning Playbook:
   Build the playbook (user_provision.yml) using a loop to provision multiple users:

   ---
   - name: Add local admin users to devices
     hosts: all_network_devices
     gather_facts: no
     vars_files:
       - users.yml
     tasks:
       - name: Ensure local users exist
         cisco.ios.ios_user:
           name: "{{ item.name }}"
           configured_password: "{{ item.password }}"
           privilege: "{{ item.privilege }}"
           state: present
         loop: "{{ provisioned_users }}"
       

   For Linux hosts, substitute cisco.ios.ios_user with ansible.builtin.user, and adjust parameters accordingly.

6. Execute the Playbook:
   Run the following command to apply the user provisioning configuration:

   ansible-playbook user_provision.yml -i hosts
       

   Ansible will connect to each device and ensure the specified users exist with the right privileges.

7. Verify and Review:
   After execution, confirm user creation with manual commands or follow-up tasks using Ansible’s command or ios_command modules, or generate a summary report.

This workflow simplifies and standardizes user management on network or server infrastructure. Adapt the module type and variable structure for your device platform and compliance requirements. Automate removal of users by changing state: present to state: absent in the relevant task.