← Back to Blog
Automation2026-01-29

Ansible for Network Engineers: A Complete Getting Started Guide

Learn how to use Ansible for network automation. This comprehensive guide covers inventory management, playbooks, and real-world examples for Cisco, Juniper, and Arista devices.

#Ansible#Network Automation#Cisco#DevOps#Infrastructure

Ansible for Network Engineers: A Complete Getting Started Guide

Network automation is no longer optional in modern IT environments. As networks grow more complex, manual configuration becomes unsustainable. Ansible provides a powerful, agentless solution for network engineers to automate configuration management, compliance checking, and deployment tasks.

Why Ansible for Network Automation?

Ansible stands out as the preferred automation tool for network engineers for several compelling reasons:

Agentless Architecture

Unlike traditional automation tools, Ansible doesn't require installing agents on network devices. It uses SSH for Unix/Linux systems and NETCONF/REST APIs for network devices, making it lightweight and secure.

Human-Readable YAML

Ansible playbooks are written in YAML, which is easy to read and understand. This means your network configurations are documented automatically.

Vendor Support

Ansible has native modules for all major network vendors:

  • Cisco (IOS, IOS-XE, NX-OS)
  • Juniper (Junos)
  • Arista (EOS)
  • Palo Alto (PAN-OS)
  • F5 (BIG-IP)

Idempotent Operations

Running an Ansible playbook multiple times produces the same result, making it safe and predictable.

Prerequisites

Before we begin, ensure you have:

  1. Python 3.8+ installed
  2. Ansible 2.9+ installed
  3. Access to network devices (physical or virtual)
  4. Basic understanding of networking concepts

Installation

# Install Ansible via pip
pip install ansible

# Verify installation
ansible --version

Your First Network Playbook

Let's create a simple playbook to gather facts from Cisco devices:

---
- name: Gather Network Facts
  hosts: all
  gather_facts: false
  connection: network_cli
  
  vars:
    ansible_network_os: ios
  
  tasks:
    - name: Get device facts
      ios_facts:
        gather_subset: all
    
    - name: Display hostname
      debug:
        var: ansible_hostname
    
    - name: Display interfaces
      debug:
        var: ansible_net_interfaces

Inventory Configuration

Create your inventory file:

[switches]
192.168.1.1
192.168.1.2

[routers]
192.168.1.100

[all:vars]
ansible_user=admin
ansible_ssh_pass=your_password
ansible_become_pass=enable_password
ansible_connection=network_cli
ansible_network_os=ios

Running the Playbook

# Dry run first (check mode)
ansible-playbook gather_facts.yml --check

# Actually run it
ansible-playbook gather_facts.yml

Real-World Example: Configuration Backup

Here's a more practical playbook that backs up running configurations:

---
- name: Network Configuration Backup
  hosts: all
  gather_facts: false
  connection: network_cli
  
  vars:
    backup_dir: /path/to/backups
  
  tasks:
    - name: Create backup directory
      file:
        path: "{{ backup_dir }}"
        state: directory
        mode: '0755'
    
    - name: Fetch running config
      ios_config:
        backup: yes
        backup_options:
          filename: "{{ inventory_hostname }}-{{ ansible_date_time.date }}.cfg"
          dir_path: "{{ backup_dir }}"

Using Ansible Vault for Secrets

Never hardcode passwords in your playbooks. Use Ansible Vault:

# Create encrypted vault file
ansible-vault create group_vars/all/vault.yml

# Edit vault
ansible-vault edit group_vars/all/vault.yml

Add your secrets:

---
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"
ansible_become_pass: "{{ vault_ansible_become_pass }}"

Best Practices for Network Automation

1. Use Dynamic Inventory

For dynamic environments, use cloud inventory plugins:

plugin: amazon.aws.aws_ec2
regions:
  - us-east-1
filters:
  tag:Environment: production

2. Organize with Group Variables

inventory/
├── group_vars/
│   ├── all/
│   │   ├── vault.yml      # Secrets
│   │   └── global.yml     # Global settings
│   ├── switches/
│   │   └── switches.yml
│   └── routers/
│       └── routers.yml

3. Implement Error Handling

- name: Configure interface
  ios_interface:
    name: GigabitEthernet1
    description: Uplink to Core
    state: present
  ignore_errors: yes
  register: interface_output

- name: Display errors
  debug:
    msg: "Configuration failed: {{ interface_output.msg }}"
  when: interface_output.failed is defined

4. Use Modules for Vendor-Specific Tasks

| Task | Module | |------|--------| | Configure interface | ios_interface | | Manage VLANs | ios_vlan | | Configure BGP | ios_bgp | | Manage ACLs | ios_acl | | Check compliance | ios_command |

Common Modules Reference

Here's a quick reference for essential network modules:

# VLAN Configuration
- name: Create VLANs
  ios_vlan:
    vlan_id: 100
    name: Management

# Interface Configuration
- name: Configure interface
  ios_interface:
    name: GigabitEthernet0/1
    description: Uplink
    enabled: yes

# BGP Configuration
- name: Configure BGP
  ios_bgp:
    asn: 65001
    router_id: 1.1.1.1
    neighbors:
      - neighbor: 192.168.1.2
        remote_as: 65002

Troubleshooting Common Issues

SSH Connection Issues

# Test SSH connectivity
ansible all -m ping

# Enable verbose logging
ansible-playbook playbook.yml -vvv

Timeout Errors

Increase timeout in inventory:

[all:vars]
ansible_timeout=60

Permission Denied

Ensure enable password is set:

ansible_become: yes
ansible_become_method: enable
ansible_become_pass: "{{ vault_enable_password }}"

Integrating with CI/CD

Modern network automation requires testing. Integrate Ansible with CI/CD pipelines:

# .gitlab-ci.yml
stages:
  - test
  - deploy

test-network:
  stage: test
  script:
    - ansible-playbook tests/network-test.yml --check

deploy-network:
  stage: deploy
  script:
    - ansible-playbook deploy/network-config.yml
  only:
    - main

Advanced Topics

NAPALM Integration

NAPALM (Network Automation with Python and LLMs) provides vendor-agnostic operational data:

- name: Get operational data with NAPALM
  napalm_get_facts:
    hostname: "{{ inventory_hostname }}"
    username: "{{ ansible_user }}"
    password: "{{ ansible_ssh_pass }}"
    driver: "eos"
  register: napalm_facts

Custom Modules

Create custom modules for vendor-specific tasks:

# library/custom_nxos_command.py
from ansible.module_utils.basic import AnsibleModule

def main():
    module = AnsibleModule(
        argument_spec=dict(
            command=dict(required=True, type='str'),
        ),
    )
    # Your custom module code

Resources and Next Steps

To continue your network automation journey:

Conclusion

Ansible provides a powerful foundation for network automation. Start with simple tasks like configuration backup, then gradually expand to more complex deployments. Remember to always test in a lab environment before applying changes to production.

The key to successful network automation is starting small, iterating frequently, and building confidence through testing. Begin with one playbook, measure the results, and expand from there.

Need help implementing network automation? We offer consulting services for network automation, security assessments, and infrastructure optimization. Get in touch.

Need Help With Network Automation?

We offer consulting services for network automation, security assessments, and infrastructure optimization.

Get In Touch