How to Automate Cisco and Juniper Configs with Ansible in 2026

You are currently viewing How to Automate Cisco and Juniper Configs with Ansible in 2026

How to Automate Cisco and Juniper Configs with Ansible in 2026

Image by: panumas nikhomkhai

The hidden cost of manual network management

Did you know that 95% of network outages stem from human configuration errors according to Gartner research? For network administrators juggling Cisco routers, Juniper firewalls, and Arista switches simultaneously, manual CLI management isn’t just tedious—it’s a business risk. Heterogeneous network automation with Ansible transforms this fragile reality. This tutorial delivers a battle-tested framework for managing mixed environments while eliminating CLI mistakes. You’ll master inventory design for diverse devices, build failure-proof playbooks, implement military-grade credential security, and deploy validation that slashes downtime. By the end, you’ll convert network chaos into predictable operations—even during midnight upgrades.

Building smart multi-vendor inventory files

A dynamic inventory is your foundation for heterogeneous network automation. Traditional host lists fail when managing Cisco IOS, Junos OS, and Arista EOS devices concurrently. Solution? Group-based organization with vendor-specific variables. Consider this snippet:

[cisco_switches]
switch1 ansible_host=192.168.1.10
switch2 ansible_host=192.168.1.11

[juniper_firewalls]
fw1 ansible_host=192.168.1.20

[cisco_switches:vars]
ansible_network_os=ios
ansible_connection=network_cli

[juniper_firewalls:vars]
ansible_network_os=junos
ansible_connection=netconf

Critical best practices:

  • Use ansible_network_os to declare platform types (ios, junos, eos)
  • Leverage group_vars for vendor-specific modules and connection methods
  • Integrate with CMDB systems via dynamic inventory scripts

This structure enables single-command execution across vendors. Test connectivity with:

ansible all -m ansible.netcommon.cli_command -a “commands=’show version'”

Vendor module compatibility matrix

Task Cisco IOS Module Juniper Junos Module Arista EOS Module
VLAN Creation cisco.ios.ios_vlan junipernetworks.junos.junos_vlans arista.eos.eos_vlan
Interface Config cisco.ios.ios_interfaces junipernetworks.junos.junos_interfaces arista.eos.eos_interfaces
ACL Management cisco.ios.ios_acls junipernetworks.junos.junos_acl arista.eos.eos_acl
OS Upgrade cisco.ios.ios_image junipernetworks.junos.junos_software arista.eos.eos_image

Creating idempotent playbooks for VLAN and firewall control

Idempotency ensures playbooks produce identical results whether run once or 100 times—critical for avoiding configuration drift. For VLAN deployment across vendors, abstract differences using standardized variables:

- name: Configure core VLANs
  hosts: network_core
  tasks:
    - name: Ensure VLAN exists
      cisco.ios.ios_vlan:
        vlan_id: "{{ item.id }}"
        name: "{{ item.name }}"
        state: present
      loop: "{{ vlans }}"
      when: ansible_network_os == 'ios'

Firewall rule management requires similar abstraction. This playbook snippet adds an ANY-ANY deny rule as final policy entry:

  1. Capture existing rules with ios_acl_facts or junos_acl_facts
  2. Check if deny-all rule exists using assert
  3. Add rule only when absent using vendor modules

Pro tip: Store rule sets in version-controlled YAML files for audit trails and reuse.

Securing credentials with Ansible Vault implementation

Hardcoding credentials in playbooks violates security fundamentals. Ansible Vault encrypts sensitive data using AES256, integrating seamlessly with your automation workflow. Follow this implementation sequence:

  1. Create encrypted variables file: ansible-vault create vars/secrets.yml
  2. Define credentials:
    ansible_user: admin
    ansible_ssh_pass: $encrypted$
  3. Reference in playbooks:
    vars_files:
      – vars/secrets.yml

For team environments, distribute vault passwords via HashiCorp Vault or encrypted Slack channels. Always rotate vault passwords quarterly and audit access monthly.

Automated validation: Your downtime reduction shield

Validation transforms risky changes into controlled deployments. Implement pre/post checks that run in seconds, not hours:

  • Pre-flight checks: Confirm device reachability with wait_for_connection
  • Config diffs: Use ios_config_diff before committing changes
  • Post-validation: Verify BGP neighbors or interface states post-change

This firewall upgrade playbook snippet prevents bricking devices:

- name: Validate firmware compatibility
  ansible.builtin.assert:
    that: current_version in supported_versions
    fail_msg: "Unsupported OS version!"
    
- name: Post-upgrade service check
  ansible.netcommon.cli_command:
    commands: "show services"
  register: result
  failed_when: "'HTTP Service: RUNNING' not in result.stdout"

Studies show such checks reduce change-related outages by 78%.

Frequently asked questions

How do I handle devices not natively supported by Ansible?

Use the ansible.netcommon.network_cli connection plugin with cli_command for generic devices. For API-only devices, leverage the uri module to interact with REST endpoints. Always encapsulate vendor quirks in custom roles for reusability.

Can I manage legacy devices without SSH?

Yes, via Telnet using ansible.netcommon.network_cli with protocol: telnet. However, prioritize upgrading to SSH-enabled devices. For console-only access, tools like OpenGear can bridge the automation gap.

How does idempotency prevent configuration drift?

Idempotent modules first check current state before making changes. For example, the ios_vlan module verifies if a VLAN exists before creating it. This ensures playbooks enforce desired state without redundant changes, maintaining consistency across devices.

What’s the alternative if I can’t use Ansible Vault?

Integrate with existing secret managers like CyberArk or Thycotic using the ansible.builtin.lookup plugin. For cloud environments, leverage IAM roles with temporary credentials. Never store credentials in plaintext—even in private repositories.

Conclusion

Mastering heterogeneous network automation with Ansible eliminates manual CLI risks while accelerating change delivery. You’ve learned to architect vendor-agnostic inventories, build idempotent VLAN/firewall playbooks, lock down credentials with Vault, and implement validation that prevents costly outages. Remember: The real win comes from operational consistency—applying identical processes to Cisco, Juniper, and Arista devices simultaneously. Ready to transform network operations? Download our production playbook templates to kickstart your automation journey today. What critical network task will you automate first?