Professional Documents
Culture Documents
Ansible Networking Modules - Executing Commands
Ansible Networking Modules - Executing Commands
Executing Commands
ipSpace.net AG
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Who is Ivan Pepelnjak (@ioshints)
Past
• Kernel programmer, network OS and web developer
• Sysadmin, database admin, network engineer, CCIE
• Trainer, course developer, curriculum architect
• Team lead, CTO, business owner
Present
• Network architect, consultant, blogger, webinar and book author
Focus
• SDN and network automation
• Large-scale data centers, clouds and network virtualization
• Scalable application design
• Core IP routing/MPLS, IPv6, VPN
More @ ipSpace.net/About
2 This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Ansible Support for Switches and Routers
Introduced in Ansible 2.1
• Similar interface for EOS, IOS, IOS-XR, NX-OS and Junos
• No abstraction – you have to deal with configuration differences
Junos:
• Enable NETCONF
• Install packages
Nexus OS:
• Manage features
• Execute NX-API calls
• Configure interfaces, IPv4 and IPv6 addresses, switchports, VLANs and VRFs…
(over 50 declarative intent modules)
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Connecting to a Device
---
- connection: local
tasks:
- nxos_command:
commands: show arp
transport: nxapi
[defaults]
transport=local
[paramiko_connection]
look_for_keys=True|False
host_key_auto_add=True|False
record_host_keys=True|False
https://github.com/ipspace/NetOpsWorkshop/tree/master/tools/ssh-keys
9 This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Connecting and Authenticating (Ansible 2.3)
---
- tasks:
- ios_command:
commands: show arp
authorize: yes|no
auth_pass: password
Ansible uses
• ansible_host or inventory_hostname as device host name or IP address
• ansible_user and ansible_ssh_pass to authenticate to the device
Most modules support
• authorize to enter enable mode (alternative: use user privilege level)
• auth_pass (or ANSIBLE_NET_AUTH_PASS) for enable password
---
- connection: local
tasks:
- ios_command:
commands: show arp
hosts
r1.lab.local
r2.lab.local ansible_host=172.16.1.110
[all:vars]
ansible_user=cisco
ansible_ssh_pass=cisco
---
- hosts: ios
tasks:
- ios_command:
commands: show arp
host: "{{ansible_host|default(inventory_hostname)}}"
username: "{{ansible_user}}"
password: "{{ansible_ssh_pass}}"
---
- hosts: ios
tasks:
- ios_command:
commands: show arp
provider:
host: "{{ansible_host|default(inventory_hostname)}}"
username: "{{ansible_user}}"
password: "{{ansible_ssh_pass}}"
transport: cli
Alternative syntax:
• Specify connection parameters in provider dictionary
• Override specific parameters (if needed) in individual module calls
---
- connection: local
tasks:
- ios_command:
commands: show arp
provider: "{{cli}}"
group_vars/all.yml
---
cli:
username: "{{ansible_user}}"
Alternative syntax:
password: "{{ansible_password}}"
• Specify
host:connection parameters in provider dictionary
"{{ansible_host|default(inventory_hostname)}}"
• Override
transport: cliparameters (if needed) in individual module calls
specific
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Execute a Cisco IOS command
---
- hosts: ios
tasks:
- ios_command:
commands: show arp
host: "{{inventory_hostname}}"
username: cisco
password: cisco
$ ansible-playbook -v command-ios.yml
---
- hosts: ios
tasks:
- ios_command:
commands: show arp
provider: "{{cli}}"
# group_vars/ios.yml
---
Notes:
ansible_device_os: ios
• Cisco IOS devices are accessed via cli:
SSH (transport: cli)
username: "{{ansible_user}}"
• No other mechanisms are available password: "{{ansible_password}}"
• Results are returned as text strings host: "{{inventory_hostname}}"
transport: cli
---
- hosts: nxos
tasks:
- nxos_command:
commands: show ip arp
provider: "{{cli}}"
# group_vars/nxos.yml
---
Notes:
ansible_device_os: nxos
• Cisco Nexus OS devices are cli:
accessed via SSH or NX-API
username: "{{ansible_user}}"
• Results are returned as text strings password: "{{ansible_password}}"
• JSON-formatted results can be host: "{{inventory_hostname}}"
transformed into Ansible objects
transport: cli
---
- hosts: junos
tasks:
- junos_command:
commands: show arp
provider: "{{netconf}}"
# group_vars/junos.yml
---
Notes:
ansible_device_os: junos
• Junos devices are accessed only via netconf:
NETCONF (using junos-eznc)
username: "{{ansible_user}}"
• Command printouts are received in password: "{{ansible_password}}"
XML format and transformed into
Ansible objects that can be used in host: "{{inventory_hostname}}"
further tasks transport: netconf
Demo 3
20This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Execute “show arp” on Multiple Platforms
$ ansible-playbook -v command-multi.yml
$ ansible-playbook -v command-multi.yml
Demo 4
23This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Logging Commands Executed by Ansible
$ ansible-playbook -v command-ios-provider.yml
---
---
- hosts: ios
tasks:
- ios_command:
This command should succeed
commands:
- show arp
host: "{{inventory_hostname}}"
username: ansible
password: ansible
- ios_command:
This command should fail
commands:
- show ip route
host: "{{inventory_hostname}}"
username: ansible
password: ansible
Demo 5
26This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Limit Commands Executed by Ansible
$ ansible-playbook -v command-ios-limited.yml
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Check Device
Versions
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Task: Check Device Version
• Define target software version in host or group variables
Compliance check:
• Log into individual devices
• Execute show version
• Compare printout with desired software version
• Report (or fail) when there’s a version mismatch
---
- hosts: ios
tasks:
- ios_command:
commands: show version
provider: "{{cli}}"
register: result
- fail: msg="Wrong Cisco IOS version"
when: "not ('Version {{version}}' in result.stdout[0])"
---
ansible_device_os: ios
version: "15.5(4)M"
cli:
username: "{{ansible_user}}"
…
Demo 6
31This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Aside: Register Action Results
---
- hosts: ios
tasks:
- ios_command:
commands: show version
provider: "{{cli}}"
register: result
$ ansible-playbook check-version.yml
---
- hosts: junos
tasks:
- junos_command:
commands: show version
provider: "{{netconf}}"
register: result
- fail: msg="Wrong Junos version"
when: "not ('{{version}}' in result.stdout[0]
['software-information']
['package-information'].comment)"
---
ansible_device_os: junos
version: "12.1X47"
Demo 7
35This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Aside: Working with junos_command Results
---
- fail: msg="Wrong Junos version"
when: "not ('{{version}}' in result.stdout[0]
['software-information']
['package-information'].comment)"
---
- hosts: ios
tasks:
- ios_command:
commands: show version
provider: "{{cli}}"
register: result
- lineinfile:
dest: version_report.txt
regexp: "{{inventory_hostname}}"
line: "{{inventory_hostname}}: wrong IOS version"
when: "not ('Version {{version}}' in result.stdout[0])"
- lineinfile:
dest: version_report.txt
regexp: "{{inventory_hostname}}"
line: "{{inventory_hostname}}: wrong IOS version"
when: "not ('Version {{version}}' in result.stdout[0])"
---
- hosts: localhost
connection: local
tasks:
- file: path=version_report.txt state=absent
- file: path=version_report.txt state=touch
Demo 8
39This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Log Routers with Wrong Software Version
$ ansible-playbook check-version-log.yml
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Task: Perform Connectivity Tests
• Define targets for connectivity tests in host or group variables
Connectivity test
• Log into individual devices
• Execute ping target
• Wait for “!!!” in the printout, fail if it’s not there
---
- hosts: ios
tasks:
- name: "Ping targets from IOS devices"
ios_command:
commands: ping {{item}}
timeout: 3 New in Ansible 2.2
retries: 1
wait_for: ---
- result[0] contains "!!!" …
provider: "{{cli}}" ping_target:
with_items: "{{ping_target}}" - '172.16.1.1'
ignore_errors: yes - '172.16.1.12'
- '172.16.1.100'
- '172.16.1.105'
44This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
IOS_Command Parameters
---
- hosts: ios
tasks:
- name: "Ping targets from IOS devices"
ios_command:
commands: ping {{item}}
timeout: 3
retries: 1
wait_for:
- result[0] contains "!!!"
---
- hosts: ios
tasks:
- name: "Ping targets from IOS devices"
ios_command: <parameters>
with_items: "{{ping_target}}"
- hosts: nxos
tasks:
- name: "Ping targets from NXOS devices"
nxos_command:
commands: ping {{item}}
provider: "{{cli}}"
with_items: "{{ping_target}}"
register: result
failed_when: "not 'icmp_seq' in result.stdout[0]"
ignore_errors: yes
- hosts: junos
tasks:
- name: "Ping targets from Junos devices"
junos_command:
commands: ping {{item}}
provider: "{{netconf}}"
with_items: "{{ping_target}}"
register: result
failed_when: "result.stdout[0]['ping-results']
['ping-failure'] is defined"
ignore_errors: yes
Junos returns ping results as an XML object, so we can test for a specific
object property
---
- fail: msg
when: condition
any_errors_fatal: true
- some-other-task
failed_when: condition
ignore_errors: yes
• Include a fail task in a play (hopefully with when condition) to fail the play
• Use failed_when condition to fail any other task
• Add ignore_errors to ensure a task failure doesn’t fail the playbook
• Use any_errors_fatal will mark all hosts as failed even if only one fails
(otherwise all tasks in a play are executed for other hosts)
Demo 9
49This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Perform Simple Connectivity Tests
$ ansible-playbook check-connectivity.yml
$ ansible-playbook -v command-multi.yml
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Other Ideas
• Device inventory (serial numbers, chassis numbers…)
• Periodic health monitoring
• Validate OSPF or BGP neighbors
• Validate HSRP/VRRP setup
• Collect ARP tables
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Getting Operational Data from a Networking Device
Shipping with Ansible 2.2
• Device-specific get_facts (when available)
• Execute commands that generate JSON or XML output, parse
JSON/XML in Ansible
• NETCONF can get XML data from the device (very limited in Cisco IOS)
• Device-specific API (NXOS or EOS) get data in JSON format
• SNMP can be used to get data from the device
• Regular expressions can extract data from stdout or stdout_lines
Third-party options:
• Use TextFSM to parse printouts
https://github.com/networktocode/ntc-ansible
• Use get_facts in NAPALM
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Network Device Fact Gathering Available in Ansible 2.2
Cisco IOS:
• Hostname, model, serial number, software version, memory, images
• Interface, IPv4 and IPv6 addresses
• LLDP neighbors
• Running configuration (when requested)
Nexus OS:
• Interfaces and VLANs
• Modules
• Environment information
---
- hosts: ios
tasks:
- ios_facts: provider="{{cli}}"
Use individual facts
register: facts
- debug: var=ansible_net_all_ipv4_addresses
- debug: var=facts
Dump all facts via a registered variable
- hosts: nxos
tasks:
- nxos_facts: provider="{{cli}}"
register: facts
- debug: var=facts
Demo 10
58This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Ansible Facts on Cisco IOS
Demo 10
61This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Ansible Facts on Junos
Demo 10
62This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Get JSON Data from
Show Commands
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Get JSON or XML Data from Show Commands
Some networking device generate operational data in XML or JSON format
• Cisco IOS: XML (few built-in commands, custom ODM files)
• Nexus OS: JSON or XML
• Cumulus Linux: JSON
• Junos: XML (converted to JSON in junos_command)
---
- hosts: nxos
tasks:
Create JSON printout
- nxos_command:
commands: "show ip arp | json"
provider: "{{cli}}"
Convert JSON printout to variable
register: result
- set_fact: json_result="{{ result.stdout[0] }}"
- set_fact: arp_table="{{ json_result.TABLE_vrf.
ROW_vrf.TABLE_adj }}"
- lineinfile: …
Dig into the data structure to get ARP table
Demo 11
67This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Result: arp_table.csv
- lineinfile:
dest: arp_table.csv
regexp: "^{{inventory_hostname}},
{{item['intf-out']}},
{{item['ip-addr-out']}}"
line: "{{inventory_hostname}},
{{item['intf-out']}},
{{item['ip-addr-out']}},{{item['mac']}}"
with_items: "{{arp_table.ROW_adj}}"
s1.lab.local,Vlan100,172.16.1.1,0050.56c0.0002
s1.lab.local,Vlan100,172.16.1.12,000c.29e5.30a3
---
- hosts: junos
tasks:
- junos_command:
commands: "show arp"
provider: "{{netconf}}" Result.stdout[0] is already and object
register: result
- set_fact: arp_table="{{ result.stdout[0]
['arp-table-information']
['arp-table-entry'] }}" Dig into the data structure
- lineinfile: to get ARP table
dest: arp_table.csv
regexp: "^{{inventory_hostname}},
{{item['interface-name']}},{{item['ip-address']}}“
…
Demo 12
69This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Use Vendor API
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Executing Vendor API Calls from Ansible
---
- hosts: nxos
tasks:
- nxos_command:
commands: "show ip arp"
provider: "{{cli}}"
transport: "nxapi"
register: result
Demo 13
71This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Using NXAPI with Ansible
$ ansible-playbook -v nexus-api.yml
(config)#feature nxapi
Recommended:
• Use HTTPS, disable HTTP
Demo 14
73This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
Using NXAPI with Ansible
$ ansible-playbook -v nexus-api.yml
This material is copyrighted and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com [85.87.178.33]). More information at http://www.ipSpace.net/Webinars
Gather SNMP Facts
---
- hosts: ios
tasks:
- snmp_facts:
host: "{{inventory_hostname}}"
version: v2
community: cisco
register: result
• snmp_facts task gathers standard SNMP MIB variables and adds them to Ansible facts
• Supports SNMP v2, v2c and v3 with encryption and authentication
Information gathered
• IP addresses and subnets
• Interface information: description, MTU, speed, address, status
• System information: description, uptime, contact, name, location
Demo 15
76This material is copyrighted
© ipSpace.net 2016 and licensed for the sole use by Mikel Maeso (mikel.maeso@gmail.com
Network [85.87.178.33]).
Automation Workshop – Ansible More information at http://www.ipSpace.net/Webinars
for Networking devices
SNMP Facts Gathered from an IOS device
SDN: ipSpace.net/SDN
Webinars: ipSpace.net/Webinars
Consulting: ipSpace.net/Consulting