What Is Ansible for Network Automation in Networking?
Also known as: Ansible for Network Automation, CNP ENCOR automation, network automation tools, Ansible playbook, agentless network automation
On This Page
Quick Definition
Ansible for Network Automation is a way to manage network devices without logging into each one separately. Instead of typing commands on a router or switch one by one, you write a simple script that tells Ansible what you want done. Ansible then connects to each device and makes the changes automatically, saving time and reducing mistakes.
Must Know for Exams
Ansible for Network Automation appears in the Cisco CCNP Enterprise exam (350-401 ENCOR) as a core topic. The exam objectives explicitly include understanding automation tools and their use in network management. Specifically, you need to know how Ansible works, its components (control node, managed nodes, inventory, playbooks, modules), and how it compares to other tools like Puppet, Chef, and SaltStack.
The ENCOR exam tests your grasp of automation principles rather than detailed Ansible syntax. For example, you might be asked to identify which Ansible component is responsible for defining the target devices (inventory). Or you might need to explain the difference between push-based and pull-based automation models. Ansible is push-based, meaning the control node pushes configuration to devices. Puppet is pull-based, where devices check a central server for updates.
Scenario-based questions are common. The exam might describe a network engineer who needs to update the SNMP community string on 200 routers. You are asked which automation tool is best suited and why. The answer would be Ansible because it is agentless and uses SSH, which is already enabled on Cisco routers. You would also need to explain that Ansible playbooks can be run once and the change is applied immediately, unlike Puppet which would require an agent on each router.
Configuration management questions may ask you to interpret a simple YAML playbook excerpt. For instance, a question might show a playbook that uses the cisco.ios.ios_config module and ask what the lines parameter does. You need to understand that lines are the configuration commands to be applied. Another question might present a scenario where a playbook fails to connect to devices. You would need to troubleshoot by checking the inventory file for correct IP addresses, credentials, or SSH connectivity.
The exam also tests your knowledge of how Ansible integrates with other Cisco technologies. For example, Cisco DNA Center uses a similar automation paradigm, and understanding Ansible helps you grasp the concepts behind Cisco's own automation platform. You may need to compare Ansible with Cisco's NETCONF/YANG or RESTCONF, which are protocol-based models for programmatic device management.
To prepare, focus on the core concepts and their relationships. Know the terminology and be able to explain each component. Understand the workflow of writing a playbook, running it, and interpreting the output. Also, remember that Ansible is not the only automation tool covered; you must know how to contrast it with others. The exam expects a broad understanding of the automation landscape.
Simple Meaning
Imagine you are a librarian at a large library with hundreds of shelves. Every week, you need to check that each book is in the correct section, that the labels are correct, and that no books are missing. Doing this by walking from shelf to shelf and inspecting each book would take hours. Now imagine you have a assistant who can read a list of instructions and perform all those checks at once. You write down what needs to be done, hand the list to the assistant, and they visit every shelf, follow your instructions, and report back. This is exactly what Ansible does for network devices.
Ansible uses something called a control node, which is typically a server or a laptop running the Ansible software. The network devices, such as routers and switches, do not need any special software installed. Ansible connects to them over the network, usually using SSH (Secure Shell) or APIs (Application Programming Interfaces). SSH is like a secure tunnel into the device that allows Ansible to send commands. APIs are more modern interfaces that allow direct communication with the device's operating system.
You write instructions in a file called a playbook. This file is written in YAML, which is a simple language that uses indentation and plain words. The playbook describes what you want to do, such as configure an IP address on an interface, add a VLAN, or update the routing table. You also create an inventory file that lists all the devices you want to manage, along with their IP addresses and login credentials.
When you run the playbook, Ansible reads the inventory, connects to each device, checks the current state, and then makes the changes needed to match your instructions. It reports back on what was changed and what was already correct. This approach is called idempotent, meaning that if you run the same playbook multiple times, you get the same result without creating errors or duplicates. For beginners, this means you can test and adjust your configuration safely without worrying about breaking the network.
Full Technical Definition
Ansible for Network Automation is part of the larger Ansible ecosystem, originally developed by Michael DeHaan and later acquired by Red Hat. It is a push-based automation tool that does not require agents installed on the target devices. Instead, it leverages existing network protocols and APIs to manage devices. The control node runs Ansible Engine or Ansible Tower (now part of Red Hat Ansible Automation Platform). The target network devices must support SSH, NETCONF, RESTCONF, or vendor-specific APIs such as Cisco NX-API or Arista eAPI.
Ansible uses modules to interact with devices. A module is a small piece of code that performs a specific operation. For network automation, there are hundreds of modules. For example, the cisco.ios.ios_config module is used to send configuration commands to Cisco IOS devices. The cisco.ios.ios_command module sends show commands and captures the output. These modules are part of the Ansible Core or can be installed from the Ansible Galaxy community. The modules handle the complexities of different device operating systems, so the playbook author only needs to specify the desired state.
Playbooks are written in YAML, which stands for YAML Ain't Markup Language. YAML is human-readable and uses indentation to define structure. A playbook contains one or more plays. Each play targets a group of hosts defined in the inventory file. The inventory can be a simple static text file or a dynamic source like a cloud provider database. Within a play, tasks are defined. Each task calls a module with parameters. For example, a task might look like this:
yaml - name: Configure interface GigabitEthernet0/1 cisco.ios.ios_config: lines: - ip address 192.168.1.1 255.255.255.0 - no shutdown parents: interface GigabitEthernet0/1
When run, this task connects to the device, enters global configuration mode, enters interface configuration mode, applies the IP address, enables the interface, and then saves the configuration if the playbook includes a save step. Ansible leverages the device's existing configuration mode and command syntax, so the playbook commands are the same as those you would type manually.
Ansible also supports network-centric features like connection plugins. The network_cli connection plugin is used for SSH-based communication. It manages the SSH session, login, and privilege escalation. The httpapi plugin uses REST APIs. Ansible handles the transport layer, authentication, and command execution reliably. For Cisco devices, Ansible often uses the ansible_network_os variable to determine which modules and connection methods to use. This variable is set in the inventory for each device.
In real environments, Ansible is used for configuration management, compliance audits, firmware upgrades, and troubleshooting. For example, a network engineer might write a playbook that checks all routers for a specific access control list (ACL) entry and adds it if missing. Another playbook might collect the output of show commands from hundreds of switches and save them to a log file for analysis. Ansible can be scheduled to run periodically using cron jobs or integrated with CI/CD pipelines for automated network changes in response to application deployments.
Real-Life Example
Think of a large office building that has hundreds of doors. Each door has a badge reader, and employees use their key cards to enter different areas. The building manager receives a request from the HR department: all employees in the Finance team now need access to the secure server room on the third floor. Walking to every door manually and updating the access list at each badge reader would take hours and could lead to mistakes.
Instead, the building manager uses a central system. They open a file that lists all badge readers and their current settings. They add a new rule: anyone with a Finance badge can enter the server room between 8 AM and 6 PM. They save the file. Then the central system connects to every badge reader, checks its current settings, and updates only the ones that are missing the new rule. After a few minutes, all badge readers are updated. The system sends a report: 45 readers were updated, 12 already had the rule, and 3 were offline.
This is exactly how Ansible works for network automation. The network engineer builds a playbook that describes the desired configuration. The playbook includes the devices to be managed, the credentials, and the configuration commands. When run, Ansible connects to each device, compares the current configuration to the desired state, and applies only the changes needed. It reports which devices changed, which were already compliant, and which had errors. The engineer can trust that the configuration is consistent across all devices without logging into each one manually.
Why This Term Matters
Network automation with Ansible matters because modern networks are too large and complex to manage manually. A typical enterprise network can have hundreds or thousands of routers, switches, firewalls, and wireless controllers. Making a change across all these devices by hand is slow, error-prone, and difficult to audit. Ansible allows a single engineer to configure or update all devices in minutes rather than days.
Consistency is another huge benefit. human operators can make typos, forget a command, or misconfigure a device. These small mistakes can cause outages or security vulnerabilities. Ansible playbooks are tested and version-controlled, just like software code. Once a playbook is verified, it can be run repeatedly with the same results. This reduces the chance of human error and ensures that all devices follow the same standards.
Compliance and auditing become straightforward. Many industries require that network devices be configured according to strict security standards, such as disabling unused ports, using strong passwords, or logging all administrative actions. Running an Ansible playbook periodically can check that every device still complies. If a device drifts from the standard, Ansible can either alert the engineer or automatically correct the configuration.
In the context of automation and AI in networking, Ansible is often the foundation. It can be integrated with network monitoring tools, ticketing systems, and even AI-driven analytics platforms. For example, if a monitoring system detects that a router's CPU is overloaded, it can trigger an Ansible playbook that adjusts QoS settings or shuts down non-critical interfaces. This is the first step toward intent-based networking, where the network automatically adjusts to maintain business policies.
For IT professionals, learning Ansible is a career differentiator. Network engineers who can automate are more valuable than those who can only configure devices by hand. Many job postings for senior network roles now require automation skills. Ansible is also vendor-agnostic, meaning the same skills apply to Cisco, Juniper, Arista, and other platforms. This makes it a versatile tool to invest in.
How It Appears in Exam Questions
In certification exams, Ansible for Network Automation appears in several patterns. One common type is the multiple-choice concept question. For example, Which of the following best describes the role of an Ansible inventory? The answer choices include statements about playbooks, modules, target device list, and control node. The correct answer describes inventory as the list of managed devices and their connection details.
Another pattern is the scenario-based configuration question. The exam presents a situation: A network engineer needs to configure the same NTP server on all routers in the company. Which Ansible component should the engineer modify to specify the NTP server IP address? The answer is the playbook, because the playbook contains the tasks and the parameters for the modules. The inventory only lists devices, not configuration details.
Troubleshooting questions appear as well. For instance, a candidate is shown an error message from a failed Ansible run: Permission denied (publickey). The question asks what the likely cause is. Options include incorrect SSH credentials, missing Ansible module, wrong YAML syntax, or network connectivity issue. The correct answer is incorrect SSH credentials, because the error indicates that Ansible cannot authenticate to the device.
Comparison questions are frequent. The exam may ask: How does Ansible differ from Puppet in terms of agent architecture? The correct answer is that Ansible is agentless and uses SSH, while Puppet requires an agent installed on managed nodes. Candidates must know that Ansible pushes configuration, whereas Puppet pulls configuration from a master server.
Architecture questions test understanding of components. You might see a diagram with boxes labeled Control Node, Managed Nodes, Inventory, Playbook, and Module. The question asks which component contains the actual automation logic. The answer is Module, because modules are the code that performs the task. The playbook only orchestrates which modules to run on which devices.
Finally, there are YAML interpretation questions. A short YAML snippet is shown, and the candidate must identify errors or explain what the playbook does. For example, a playbook might miss the hosts line, making it invalid. The question asks why the playbook will fail. The answer is that every play needs to specify which hosts to target.
These question types test both factual knowledge and applied understanding. To succeed, you must not only memorise terms but also understand how Ansible works in practice. The ENCOR exam places emphasis on automation as a skill, not just a theory.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company has 50 Cisco routers spread across five branch offices. Each router needs to have a new syslog server address added, and the logging level changed from errors to warnings. The network engineer, Sarah, decides to use Ansible to make this change efficiently.
First, Sarah creates an inventory file called routers.ini that lists all 50 routers with their IP addresses and SSH usernames. She stores the SSH password in a secure vault. Then she writes a playbook called update_syslog.yml. The playbook has one play targeting the branch routers group and one task that uses the cisco.ios.ios_config module. The task specifies two lines: one to add the syslog server IP and one to set the logging level to warnings. She also includes a second task to save the configuration using the write memory command.
Sarah runs the playbook from her laptop using the command ansible-playbook -i routers.ini update_syslog.yml. The command starts and connects to each router in sequence. For each router, Ansible checks the current running configuration. If the syslog server is already present and the logging level is correct, Ansible makes no changes. If the configuration needs updating, Ansible enters global configuration mode and applies the changes. After applying, it saves the configuration. The output shows that 48 routers were updated successfully, 2 routers were already compliant, and 1 router was unreachable due to a network issue.
Sarah fixes the connectivity issue on the unreachable router and reruns the playbook for that single device. The entire process takes less than 15 minutes, compared to the hours it would have taken to SSH into each router manually. The playbook is also saved in the company's version control system, so the change is documented and can be audited.
Common Mistakes
Thinking Ansible requires an agent installed on every network device.
Ansible is agentless, meaning it does not require any software to be installed on the devices it manages. It connects using SSH or APIs that are already available on the network device. This is a core difference from tools like Puppet or Chef that require agents.
Remember that Ansible uses SSH or API connections. No agent installation is needed on routers or switches.
Confusing the inventory with the playbook. Some learners think the inventory contains the configuration commands.
The inventory only lists the devices to be managed, along with connection details like IP addresses and credentials. The playbook contains the actual tasks and configuration commands. Mixing these up leads to incorrect automation design.
Think of inventory as a list of addresses. The playbook is the instruction manual. They are separate files with separate purposes.
Assuming Ansible works exactly the same way on all device types without using the correct module.
Different network operating systems use different modules. For example, Cisco IOS uses cisco.ios.ios_config, while Arista EOS uses arista.eos.eos_config. Using the wrong module will cause the playbook to fail or behave unpredictably.
Always check the documentation for the correct module for the specific device OS. Use the ansible_network_os variable in the inventory to help Ansible choose the right module automatically.
Believing that Ansible playbooks are written in Python or some other programming language.
Playbooks are written in YAML, a human-readable data serialization language. YAML uses indentation to define structure. It is not a programming language, though it can contain inline Python code for advanced cases. Beginners often overcomplicate the syntax.
Learn the basics of YAML: lists use dashes, dictionaries use key-value pairs, and indentation matters. Practice reading and writing simple playbooks to build confidence.
Neglecting to use the --check flag when testing playbooks in a production environment.
Running a playbook without a dry run can cause unintended changes to live network devices. The --check flag simulates the changes without applying them, allowing the engineer to review what would happen.
Always run a playbook with ansible-playbook --check first. Review the output. Only remove the --check flag once you are confident the changes are safe.
Exam Trap — Don't Get Fooled
The exam may state that Ansible requires Python to be installed on the managed network devices. This is false. Remember that Ansible for network devices does not require Python on the target routers or switches.
Ansible uses SSH or APIs to communicate. The control node (where you run the playbook) must have Python and Ansible installed, but the managed devices only need SSH or API access enabled. This applies to all network devices, not just Cisco.
Commonly Confused With
Puppet is a pull-based configuration management tool that requires an agent installed on the managed device. Ansible is push-based and agentless. In Puppet, the device checks a central server periodically for updates. In Ansible, the control node sends updates to devices on demand.
If you need to update 100 routers immediately, Ansible is better because you push the change once. With Puppet, you would have to wait for each router's next scheduled check-in, which could be hours.
NETCONF is a network management protocol that uses YANG data models to describe configuration. Ansible can use NETCONF as a transport method, but Ansible itself is a broader automation tool that supports multiple transports (SSH, RESTCONF, APIs). NETCONF/YANG is a standardised way to represent and modify device state, while Ansible is a framework to orchestrate those changes.
Think of NETCONF/YANG as the language and grammar, and Ansible as the author who writes the instructions. Ansible can speak NETCONF, but it can also speak other languages like SSH commands.
Cisco DNA Center is a network controller platform that provides automation, assurance, and analytics for Cisco devices. It has a web GUI and APIs. Ansible is a general-purpose automation tool that works with many vendors. DNA Center is specific to Cisco and often used for campus networks, while Ansible is used for data centre, campus, and service provider networks alike.
If your network is entirely Cisco and you want a built-in solution, DNA Center might be the choice. If you have a multi-vendor network, Ansible is more flexible. Also, Ansible can automate DNA Center itself via its API.
Step-by-Step Breakdown
Install Ansible on the Control Node
The control node is the machine from which automation is run. It must have Linux or macOS and Python 3 installed. Ansible is installed via pip (Python package manager). This machine does not need to be powerful, but it must have network access to all managed devices.
Create an Inventory File
The inventory file defines the target devices. It can be a simple text file listing IP addresses or hostnames, grouped logically. For example, all routers in branch1 can be in a group called [branch1]. Each device can have variables like ansible_user and ansible_ssh_pass.
Define Connection Variables
For network devices, you must set the ansible_connection variable. For Cisco IOS over SSH, set it to network_cli. Also set ansible_network_os to ios so Ansible uses the correct modules. These variables can be defined in the inventory or in a separate group_vars file.
Write a Playbook
The playbook is a YAML file that contains one or more plays. Each play targets a group of devices and lists tasks. A task uses a module with parameters. For configuration changes, the cisco.ios.ios_config module is common. The playbook should also include a task to save the running configuration to startup.
Run the Playbook
Execute the playbook using the ansible-playbook command, specifying the inventory file. Use the --check flag first to see what would change without applying. After reviewing, remove --check to apply changes. Monitor the output for any errors or unreachable hosts.
Review the Results
Ansible provides a summary after execution, showing how many devices were changed, how many were ok, and how many were unreachable or failed. This feedback helps identify issues. If a device fails, check the error message, fix the problem (e.g., credentials, connectivity), and rerun the playbook.
Version Control the Playbooks
Save all playbooks, inventory files, and variable files in a version control system like Git. This creates an audit trail of changes and allows rollback if needed. It also enables team collaboration, as multiple engineers can review and improve the automation code.
Practical Mini-Lesson
Ansible for Network Automation is not just about learning a tool; it is about adopting a new way of thinking about network management. Instead of treating each device as an individual configuration project, you treat the entire network as a single system defined by code. This concept is often called infrastructure as code, or IaC. The key principle is that the desired state of the network is expressed in files, and the automation tool ensures that the actual state matches.
To start using Ansible for network automation, you need to set up a control node. Most network engineers use a Linux virtual machine or a Mac laptop. Install Python and then run pip install ansible. For network automation, you also need the ansible.netcommon collection, which provides network-specific modules and plugins. This collection is installed via ansible-galaxy collection install ansible.netcommon.
The inventory is the first real file you will create. A simple static inventory could look like this:
[dc-core] core-router1 ansible_host=10.1.1.1 core-router2 ansible_host=10.1.1.2
[dc-core:vars] ansible_connection=network_cli ansible_network_os=ios ansible_user=admin ansible_ssh_pass=secret
This defines two core routers and sets common connection variables for the group. Note that storing plain text passwords is insecure. In production, use ansible-vault to encrypt sensitive data.
Next, write a playbook. A minimal playbook to gather facts from a router looks like this:
--- - name: Gather facts from core routers hosts: dc-core gather_facts: no tasks: - name: Collect IOS facts cisco.ios.ios_facts: register: device_facts
- name: Print serial number debug: msg: "Serial number is {{ device_facts.ansible_facts.ansible_net_serialnum }}"
This playbook connects to both core routers, gathers facts like serial number, IOS version, and interfaces, and then prints the serial number. The register keyword stores the output in a variable for later use.
In real environments, you will write more complex playbooks. For example, to configure a VLAN on multiple switches, you would use a loop:
--- - name: Configure VLANs on access switches hosts: access-switches gather_facts: no tasks: - name: Ensure VLAN 100 exists cisco.ios.ios_vlan: vlan_id: 100 name: Sales state: present
Common pitfalls include forgetting to set the correct module, not specifying the parents parameter when configuring interface subcommands, and not saving the configuration. Always include a task to save the config at the end of the playbook using the ios_config module with save_when: modified.
Ansible also allows you to use conditionals, loops, and templates. Jinja2 templating is powerful for generating configuration files dynamically. For instance, you can create a template for Syslog configuration that varies per site and use variables from the inventory.
What can go wrong? Network connectivity issues, incorrect credentials, mismatched modules, and YAML syntax errors are the most common. Always validate the YAML with a linter before running. Use the ansible-playbook --syntax-check command to catch errors early. For connectivity issues, use the ansible -m ping command to test reachability before running a full playbook.
Ansible connects to broader IT concepts like continuous integration and continuous deployment (CI/CD). You can integrate Ansible playbooks into a CI/CD pipeline using tools like Jenkins or GitLab CI. This means that when a change is committed to the code repository, the playbook automatically runs against a test network, and after validation, against production. This closes the loop between network configuration and application development.
Memory Tip
Think of A-N-S-I-B-L-E: A New System, Idempotent, Bypasses Logging Everywhere. The key point is that Ansible is agentless and idempotent, meaning it only changes what needs changing.
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
Do I need to install anything on my Cisco router to use Ansible?
No, Ansible is agentless. Your router only needs SSH enabled and a user account with the appropriate privileges. Ansible connects using SSH and executes commands just as you would from a terminal.
Can Ansible work with both Cisco IOS and NX-OS?
Yes, Ansible has separate modules for different operating systems. Use cisco.ios.ios_config for IOS and cisco.nxos.nxos_config for NX-OS. The playbook structure is similar, but the module names and supported parameters differ.
Is YAML hard to learn?
YAML is designed to be easy to read and write. The main rule is that indentation matters. Use spaces, not tabs. Lists use dashes, and dictionaries use key-value pairs. Most people pick it up in a few hours.
What does idempotent mean in the context of Ansible?
Idempotent means that running the same playbook multiple times produces the same result. If the device already matches the desired state, Ansible makes no changes. This prevents errors from duplicate commands and makes automation safe to repeat.
Can I use Ansible to backup my router configurations?
Yes. You can write a playbook that uses the ios_config module with the backup: yes parameter. This will retrieve the device configuration and save it to a local file with a timestamp. It is a common way to perform configuration backups.
What is the difference between Ansible and Ansible Tower?
Ansible is the open-source command-line tool. Ansible Tower (now Red Hat Ansible Automation Platform) is a commercial product that adds a web interface, role-based access control, scheduling, and integration with enterprise tools like LDAP and Slack.
Summary
Ansible for Network Automation is a powerful tool that allows network engineers to manage devices at scale using simple, human-readable playbooks. Instead of logging into each router or switch to make changes, you write a description of the desired configuration and let Ansible handle the execution. This approach saves time, reduces errors, ensures consistency across the network, and creates an audit trail of changes.
For certification exams like the Cisco CCNP ENCOR, you need to understand the core concepts: Ansible is agentless, push-based, and uses YAML playbooks. You must know the components including the control node, inventory, playbook, and modules. You should be able to compare Ansible with other tools like Puppet and explain why it is suited for network automation.
Take note of common mistakes, such as assuming agents are needed or confusing the inventory with the playbook. In the exam, you will face conceptual questions, scenario questions, and troubleshooting questions. Focus on understanding the workflow and the rationale behind each component.
With this knowledge, you will be prepared to answer automation questions confidently and to apply the tool in real-world network management tasks.