Imagine trying to manage a network of 500 routers by logging into each one manually to apply a new ACL. That's the old way. Network automation uses software to configure, manage, and monitor network devices programmatically, reducing human error and speeding up changes. For the CCNA 200-301 exam, objective 6.1 covers the benefits of automation—a topic that underpins modern network engineering and separates script kiddies from real engineers.
Jump to a section
Think of a factory that builds cars. In the old days, each car was handcrafted by a single worker who performed every step: welding, painting, installing the engine, and tightening bolts. This is like a network engineer SSH'ing into each switch to configure VLANs, STP, and port security one by one. The process is slow, error-prone, and inconsistent—one worker might tighten bolts to 50 Nm, another to 40 Nm. Now imagine a modern assembly line: a robotic arm precisely welds the chassis, another paints with exact thickness, and a third installs the engine using a programmed sequence. The entire line is controlled by a central computer that sends commands to each robot. This is network automation: a controller (like Ansible or a Python script) pushes the same configuration to all switches simultaneously, ensuring every port is configured identically. The robots don't think; they just execute. Similarly, network devices receive CLI commands via APIs or SSH and apply them without deviation. The assembly line can also run a quality check after each step—automation can verify that the configuration took effect and alert if not. If a new car model is introduced, the central computer updates the robot programs, and all lines switch over instantly. In networking, when a new security policy is needed, you update the automation script and push it to every device in minutes. The factory analogy also highlights idempotency: if a robot tries to tighten a bolt that's already tight, nothing bad happens—automation tools like Ansible are idempotent, meaning they only apply changes if the current state differs from the desired state. This prevents accidental misconfigurations from re-running scripts. The key takeaway: automation brings consistency, speed, and reliability, just like an assembly line compared to handcrafting.
What is Network Automation and Why Does It Exist?
Network automation is the use of software to automate the configuration, management, testing, deployment, and operation of physical and virtual network devices. It exists because manual CLI-based management does not scale. In a network with hundreds or thousands of devices, human error is the leading cause of outages—a typo in a BGP configuration can take down an entire data center. Automation eliminates these errors by ensuring consistent, repeatable configurations.
How It Works: The Toolchain
At a high level, network automation involves three components: a source of truth, a transport mechanism, and device agents. The source of truth is a database or file (like a YAML inventory) that defines the desired state of each device—hostname, IP addresses, VLANs, routing protocols, etc. The transport mechanism is how commands reach the device: SSH (CLI), NETCONF (XML), RESTCONF (JSON), or gRPC (protobuf). Device agents are the software on the device that interprets and applies the commands. For example, an Ansible playbook reads a YAML file, SSHes into a switch, and issues vlan 10 commands. The switch's IOS processes them as if a human typed them.
Key Benefits for CCNA
Cisco expects you to understand these benefits:
- Reduced human error: Automation applies the same config every time, avoiding typos or missed steps.
- Faster deployments: A script can configure 100 switches in 5 minutes, vs. 2 hours manually.
- Consistent configurations: All devices in a role (e.g., access switches) have identical settings.
- Improved compliance: Audit scripts can check that every switch has the required ACLs or SNMP strings.
- Faster troubleshooting: Automation can collect show commands from all devices and parse them for anomalies.
- Rollback capability: If a change fails, automation can revert to the previous config.
Common Automation Tools
The CCNA exam does not require deep tool knowledge, but you should recognize: - Ansible: Agentless, uses YAML playbooks, pushes config via SSH. - Puppet/Chef: Agent-based, uses a pull model where devices fetch config from a master. - Python with libraries (Netmiko, NAPALM): Custom scripts that SSH into devices. - Cisco DNA Center: GUI-based automation for intent-based networking.
Automation vs. Orchestration
Automation is a single task (e.g., configure VLAN 10 on a switch). Orchestration is coordinating multiple automated tasks across different systems (e.g., when a new VM spins up, orchestration triggers the network to create a new VLAN, update DNS, and add firewall rules). For CCNA, know that automation is a subset of orchestration.
Idempotency and Desired State
A critical concept: idempotency means applying the same configuration multiple times results in the same state. For example, if you run a playbook that sets vlan 10 and it already exists, nothing changes. This prevents accidental duplicate commands. Desired state management means you define what the network should look like, and the automation tool brings it to that state, correcting any drift.
IOS CLI and Automation
Even with automation, you still need to know CLI. For example, an Ansible playbook might use:
- name: Configure VLAN
ios_vlan:
vlan_id: 10
name: DATA
state: presentThis translates to:
Switch(config)# vlan 10
Switch(config-vlan)# name DATAThe automation tool just sends the CLI commands over SSH. So understanding the underlying CLI is essential for writing and debugging automation scripts.
Verification Commands
Automation can run show commands and parse output. For example, to verify a VLAN:
Switch# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/0, Gi0/1
10 DATA active Gi0/2An automation script can check that VLAN 10 is present and on the correct ports.
Interaction with Other Protocols
Automation does not replace routing/switching protocols; it configures them. For example, you might automate OSPF configuration across all routers:
router ospf 1
network 10.0.0.0 0.255.255.255 area 0Automation ensures all routers have the same OSPF process ID and network statements. It can also monitor OSPF neighbor states via show ip ospf neighbor and alert if any are missing.
Security Considerations
Automation accounts (service accounts) must have the right privileges. Use AAA (TACACS+ or RADIUS) to control access. Never store plaintext passwords in scripts—use Ansible Vault or environment variables. Also, always test automation in a lab first; a buggy script can wipe out your entire network config.
Summary
Network automation is not optional in modern networks. The CCNA tests your understanding of why it's used: to reduce errors, increase speed, and ensure consistency. You don't need to write scripts on the exam, but you must be able to identify the benefits and basic concepts.
Identify a repetitive task
The first step in automation is to identify a task that is done frequently and is prone to human error. Examples: adding a new VLAN to all access switches, updating SNMP community strings, or backing up running configs. For the CCNA, think of tasks that require the same commands on multiple devices. The goal is to reduce manual effort and ensure consistency.
Define the desired state
Decide exactly what the configuration should look like. For example, you want VLAN 10 named DATA on all access switches. Write this in a format the automation tool understands, like YAML. For Ansible: ```yaml vlan_id: 10 name: DATA state: present ``` This defines the desired state. The automation tool will compare the current state (via show commands) and only make changes if needed.
Select an automation tool
Choose a tool that fits your environment. For CCNA, you should know Ansible (agentless, push model) and Python with Netmiko (custom scripts). Ansible is popular because it's easy to read (YAML) and doesn't require agents on devices. For example, an Ansible playbook to configure VLANs on Cisco switches would use the `ios_vlan` module. The tool handles the SSH connection and command execution.
Write the automation script or playbook
Create the script that will execute the task. In Ansible, you write a playbook like: ```yaml --- - name: Configure VLANs hosts: switches gather_facts: no tasks: - name: Create VLAN 10 ios_vlan: vlan_id: 10 name: DATA state: present ``` This tells Ansible to connect to all hosts in the 'switches' group and run the ios_vlan module. The module translates the YAML into CLI commands and sends them via SSH.
Test in a lab environment
Never run automation on production devices without testing. Use a lab with virtual or physical devices. Run the playbook with `--check` mode (dry run) to see what changes would be made without applying them. For example: ``` ansible-playbook vlan.yml --check ``` This shows the diff. Also test on a single device first using `--limit`: ``` ansible-playbook vlan.yml --limit switch1 ``` Verify the config manually before rolling out to all devices.
Deploy and verify
Once tested, run the playbook on the target devices. Use verbose mode to see the commands being sent: ``` ansible-playbook vlan.yml -v ``` After deployment, verify the configuration by running a show command via automation. For example, use the `ios_command` module to run `show vlan brief` and check that VLAN 10 is present. If any device fails, the playbook should report it. Automation can also send notifications (email, Slack) on success or failure.
In a large enterprise with 500 access switches, manually configuring a new voice VLAN on every switch would take a team of engineers weeks and inevitably introduce errors—some switches might get the wrong VLAN ID or miss the QoS markings. With automation, a single Ansible playbook can configure all 500 switches in under 10 minutes. The playbook defines the desired VLAN, QoS policy, and port assignments. It connects to each switch via SSH, applies the config, and verifies it by checking show vlan and show mls qos. If a switch fails (e.g., due to a connectivity issue), the playbook logs the error and moves on, allowing the engineer to fix the outlier later.
Another scenario: compliance audits. A financial institution must ensure that all switches have SNMPv3 enabled and ACLs that restrict management access. Without automation, an auditor would manually sample devices. With automation, a Python script runs show snmp and show ip access-lists on every device, parses the output, and generates a compliance report. Any device missing the required config is flagged for remediation. The script can also automatically apply the missing config using the same automation toolchain.
A common pitfall: misconfigured automation scripts that overwrite entire configs instead of making incremental changes. For example, using ios_config with lines: that replaces the entire running config rather than appending. Always use idempotent modules that only add or modify specific lines. Also, consider network stability: if you automate OSPF configuration, ensure you don't cause routing flaps by removing and re-adding network statements. Use replace or update strategies carefully.
Scale considerations: automation tools must handle device response times. If you have 1000 devices and each takes 5 seconds to SSH and apply config, total time is ~1.5 hours. Use parallelism (e.g., Ansible forks) to reduce time. But too many concurrent connections can overwhelm the management network. Limit forks to 10-20 in production. Also, always have a backup plan: if the automation server fails, you should still be able to manually configure devices via CLI. Automation is a tool, not a crutch.
The CCNA 200-301 exam objective 6.1 is 'Explain the benefits of network automation.' This is a conceptual topic—you won't be asked to write a script, but you must understand why automation is used and its advantages over manual configuration. Expect multiple-choice questions that present a scenario and ask which benefit applies, or which statement about automation is true.
Common wrong answers: 1. 'Automation eliminates the need for network engineers.' Wrong—automation changes the role but doesn't eliminate it; engineers are still needed to design, test, and troubleshoot. 2. 'Automation always reduces costs immediately.' Wrong—initial setup and training costs can be high; long-term savings come from reduced errors and faster deployments. 3. 'Automation tools like Ansible require an agent on the device.' Wrong—Ansible is agentless; it uses SSH. Puppet/Chef use agents. 4. 'Automation is only useful for large networks.' Wrong—even small networks benefit from consistency and reduced errors.
Key points to remember:
Automation reduces human error, increases speed, ensures consistency, and improves compliance.
Idempotency means running the same automation multiple times produces the same result.
Desired state management: you define what you want, and the tool makes it so.
Automation can be used for configuration, monitoring, and compliance auditing.
Tools: Ansible (push, agentless), Puppet/Chef (pull, agent-based), Python (custom scripts).
Decision rule for scenario questions: If the scenario mentions 'reducing configuration errors across many devices', the benefit is 'consistency' or 'reduced human error'. If it mentions 'quickly deploying a new service', the benefit is 'speed' or 'faster deployments'. If it mentions 'ensuring all devices meet security policies', the benefit is 'compliance'.
Also, know that automation is not a magic bullet—it requires careful planning, testing, and monitoring. The exam might ask about risks: a bug in an automation script can cause widespread outages. Always test in a lab first.
Finally, Cisco DNA Center is Cisco's automation platform for intent-based networking. It provides a GUI for automation, assurance, and policy. You might see questions about DNA Center's role in automation—it uses intent (what you want) rather than CLI commands.
Network automation reduces human error by applying consistent configurations across devices.
Idempotency ensures that running the same automation multiple times does not cause duplicate changes.
Ansible is an agentless automation tool that pushes configurations via SSH.
Puppet and Chef use a pull model where devices fetch configurations from a master server.
Automation can be used for configuration, monitoring, compliance auditing, and troubleshooting.
Desired state management defines the target configuration, and automation brings the device to that state.
Always test automation scripts in a lab before deploying to production.
These come up on the exam all the time. Here's how to tell them apart.
Ansible
Agentless (uses SSH)
Push model (server pushes config to devices)
Uses YAML playbooks
Idempotent modules
Popular for network automation due to simplicity
Puppet
Agent-based (requires agent on device)
Pull model (devices fetch config from master)
Uses Puppet DSL (custom language)
Idempotent resources
More common in server configuration management
Mistake
Network automation will replace network engineers.
Correct
Automation changes the role of network engineers, shifting focus from manual configuration to designing, testing, and managing automation systems. Engineers are still needed for complex troubleshooting and strategic decisions.
This belief comes from fear of job loss, but automation actually creates new opportunities for engineers with scripting skills.
Mistake
Automation is only for large enterprises with hundreds of devices.
Correct
Even small networks benefit from automation—reducing typos, ensuring consistency, and saving time on repetitive tasks like backing up configs.
People assume automation requires significant investment, but simple scripts can be used on a few devices.
Mistake
Ansible requires an agent installed on each network device.
Correct
Ansible is agentless; it connects to devices via SSH and executes commands directly. Puppet and Chef require agents.
Candidates confuse Ansible with Puppet/Chef because all are configuration management tools.
Mistake
Automation always reduces costs immediately.
Correct
Initial costs include training, tool setup, and script development. Long-term savings come from reduced errors and faster deployments, but ROI may take time.
Marketing hype often overstates immediate savings, leading to unrealistic expectations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, the CCNA exam does not require you to write or read Python code. However, you should understand the concept of automation tools and their benefits. Knowing Python is helpful for real-world automation but not tested on the exam.
Ansible is agentless (uses SSH) and uses a push model where the server pushes config to devices. Puppet requires an agent on the device and uses a pull model where devices fetch config from a master. Ansible uses YAML; Puppet uses its own DSL. For network automation, Ansible is more common.
No, automation scripts often contain CLI commands or translate to them. You need to understand CLI to write effective automation and to troubleshoot when automation fails. The exam still tests CLI knowledge.
Idempotency means that applying the same configuration multiple times results in the same state. It prevents accidental changes from re-running scripts. For example, if you run a playbook to create a VLAN and it already exists, no command is sent. This is crucial for safe automation.
Automation can enforce security policies by ensuring all devices have the required configurations (e.g., ACLs, SNMP settings). It can also audit devices by collecting configurations and comparing them to a baseline, flagging any deviations.
A source of truth is a database or file that contains the desired configuration for each device. It could be a YAML file, a spreadsheet, or a tool like NetBox. Automation tools read from this source to determine what changes to make.
Yes, Cisco DNA Center is a centralized management platform that provides automation, assurance, and policy-based networking. It allows you to configure devices via a GUI or API, and it uses intent-based networking to translate business intent into network configurations.
You've just covered Network Automation Benefits — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?