Automation: Ansible and Cisco CSR1000v
Intro
With the modern developments around Infrasture-as-Code and more specifically Networking-as-Code. There is a greater demand to understand the development, and deployment of network configurations through code such as Ansible.
Cisco has a great developer platform where you can learn more here.
Ansible is an automation platform that has been extended to support physical networks, software-defined networks and cloud based networks. Ansible is an automation pltform that is flexible and can be used across a diverse network of devices and domains, making it easier to automate your entire network and IT processes.
For installing Ansible we recommend starting here.
Ansible Galaxies
To make management of the cisco device easier. We will download the anisble ios module. From your shell/terminal simply execute the following:
ansible-galaxy collection install cisco.ios
Cisco Cloud Router CSR1000v
You will need a copy of the Cisco CSR 1000v virtual router this can be downloaded from the Cisco Website
- Information about the CSR Router
- Download link – Cisco CSR 1000v download
Setup
Setup will not be covered here, but we assume you know how to setup VMware, Virtualbox, Qemu, or another suitable virtualisation platform.
Preparing the CSR Image
Before we can provision the state of the virtual router, we need to get it ready for Ansible. This means:
- changing the host name
- setup an initial IP address
- enabling authentication
- enabling ssh
Changing the hostname
Use the virtual console to access the terminal of the router and type the following commands:
en
conf t
no ip domain
hostname ios-ex1
[ctrl-Z]
Setup an initial IP address
en
conf t
interface GigabitEthernet1
description Bridge Interface
ip address dhcp
ip nat outside
[ctrl-z]
Enabling authentication
We assume you are continuing from the previous terminal state, so enter this sequence of commands:
Remember: make a note of your credentials we will need these later…
en
conf t
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
username cisco secret 5 <password>
enable secret 5 <password>
!
line vty 0 4
login local
transport input ssh
[ctrl-z]
WARNING: This is mearly just for out test-system and for self-learning, please use appropriate credentials in your own or your business’ enterrpise environments!
Setup SSH
Note: by default Cisco will use key bit length of 512 or 768 bits. But for OpenSSH (for our Ansible conenction), we need a minimal key length of 1024 bits.
en
conf t
crypto key generate rsa
1024
ip ssh version 2
Last steps
Note: again the following commands make things easier in the lab, please dont use these in production!
Add the following to ansible.cfg:
host_key_checking=False
and
Add the following to your ~/.ssh/config:
Host <ip of csr1000v>
KexAlgorithms +diffie-hellman-group1-sha1
We should now be ready to play with Ansible networking on the CSR1000v
Ansible
You probably want to keep everything within a folder to keep things tidy in your workspace/shell. Create an appropriate directory and change directory:
mkdir ansible
cd ansible
If you want to know more about ansible and its work-tree/ directory layout we advise reading this page
Inventory File
Before we begin, you’ll need to create an inventory file and list some variables so ansible can connect to the new virtual CSR1000v image:
A basic invenotry file, is a tag, followed by the hostname and the ip address of the machine as follows:
[iosxe]
ios-ex1 ansible_host=192.168.1.100
For completeness, here is a copy of our test inventory file, refering to our test CSR1000v image
[iosxe]
ios-ex1 ansible_host=192.168.1.100
[iosxe:vars]
ansible_connection=network_cli
ansible_network_cli_ssh_type=paramiko
ansible_ssh_common_args: '-o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-rsa -o Ciphers=+aes256-cbc'
ansible_network_os=ios
ansible_python_interpreter=/usr/bin/python
ansible_user=admin
ansible_password=cisco
ansible_port=22
ansible_become=yes
ansible_become_method=enable
ansible_become_password=cisco
Ansible Ping
Test that Ansible can communicate with the machine:
ansible iosxe -m ping -i inventory.ini
Hopefully, you will get a success message like below:
ios-ex1 | SUCCESS => {
"changed": false,
"ping": "pong"
}
Initial Automation Script
We created the following path and main.yml file that will contain our sample task code:
mkdir roles/ios/tasks
vi roles/ios/tasks/main.yml
---
- name: Configure top level config
hosts: iosxe
gather_facts: false
tasks:
- name: Configure hostname
cisco.ios.ios_hostname:
config:
hostname: "\{\{ inventory_hostname \}\}"
state: merged
- name: Configure remove domain lookups
cisco.ios.ios_system:
state: absent
- name: configure DNS lookup sources
cisco.ios.ios_system:
lookup_enabled: no
- name: configure name servers
cisco.ios.ios_system:
name_servers:
- 1.1.1.1
- name: Remove uneeded banners
ios_banner:
banner: "\{\{ item \}\}"
state: absent
loop:
- motd
- exec
- incoming
- name: Update login banner
ios_banner:
banner: login
text: |
----------------------------------------
|
| This banner was generated by Ansible
|
----------------------------------------
|
| You are logged into \{\{ inventory_hostname \}\}
|
----------------------------------------
state: present
*Note: excuse the backslashes, we coudln’t get the yml file to render correctly in the css.
Execute our playbook:
❯ ansible-playbook -i inventory.ini --limit "ios-xe1" roles/ios/tasks/main.yml
Output:
PLAY [Configure top level config] ***********************************
TASK [Configure hostname] *******************************************
changed: [ios-xe1]
TASK [Configure remove domain lookups] ******************************
changed: [ios-xe1]
TASK [configure DNS lookup sources] *********************************
changed: [ios-xe1]
TASK [configure name servers] ***************************************
changed: [ios-xe1]
TASK [Remove uneeded banners] ***************************************
ok: [ios-xe1] => (item=motd)
ok: [ios-xe1] => (item=exec)
ok: [ios-xe1] => (item=incoming)
TASK [Update login banner] *******************************************
ok: [ios-xe1]
PLAY RECAP ***********************************************************
ios-xe1 : ok=6 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
You should now have everything to practise your ansible and ansible-networking provisioning before playing in the enterprise!
Share on: