Network Automation Guide: Configuring Cisco and Fortinet with Ansible

You are currently viewing Network Automation Guide: Configuring Cisco and Fortinet with Ansible

Network Automation Guide: Configuring Cisco and Fortinet with Ansible

Image by: Brett Sayles

Introduction

Did you know that 65% of network engineers still rely on manual processes for device configuration and policy management? This not only increases the risk of human error but also slows down operations. Automation is the key to streamlining network management, especially in multi-vendor environments. This tutorial will guide you through how to automate multi-vendor network environments using Ansible playbooks. You’ll learn how to securely manage firewall policies on Fortinet devices, push configurations to Cisco switches, and implement best practices such as secure SSH authentication, idempotent plays, Ansible Vault, and dry-run testing. By the end, you’ll have the tools to create scalable, secure, and efficient network automation workflows.

Setting up secure SSH authentication

Secure SSH authentication is the foundation of any network automation setup. Without a secure connection, your automation tasks could expose sensitive data to unauthorized users. Here’s how to ensure secure SSH authentication:

  • Use SSH keys instead of passwords: SSH keys are more secure and eliminate the need to store passwords in plain text.
  • Limit access to specific IPs: Configure your SSH server to allow connections only from trusted IP addresses.
  • Disable root login: Prevent unauthorized access by disabling direct root login over SSH.

For example, to generate an SSH key pair and copy it to a Fortinet device, use the following commands:

ssh-keygen -t rsa -b 4096 -C "[email protected]"
ssh-copy-id admin@fortinet-device

By implementing these measures, you can ensure that your Ansible playbooks run securely across your network devices.

Best practices for SSH configuration

Always use strong encryption algorithms and disable outdated protocols like SSHv1. Additionally, rotate SSH keys periodically to mitigate risks associated with key compromise.

Writing idempotent plays

Idempotency is a core principle of Ansible automation. It ensures that running a playbook multiple times produces the same result, eliminating unnecessary changes. Here’s how to write idempotent plays:

  • Use modules designed for idempotency: Modules like ios_config for Cisco devices and fortios_config for Fortinet are inherently idempotent.
  • Avoid using the command module: It bypasses Ansible’s idempotency checks and can lead to unpredictable results.
  • Check the current state before making changes: Use gather_facts or custom tasks to verify the device state.

For example, here’s an idempotent play to configure a VLAN on a Cisco switch:

- name: Configure VLAN 10
  ios_vlan:
    vlan_id: 10
    name: Engineering
    state: present

By following these practices, you can ensure that your playbooks are reliable and efficient.

Managing variables with Ansible Vault

Sensitive data such as SSH keys, passwords, and API tokens should never be stored in plain text. Ansible Vault encrypts these variables, ensuring they remain secure. Here’s how to use Ansible Vault:

  • Create an encrypted file: Use ansible-vault create filename.yml to create a new encrypted file.
  • Edit existing files: Use ansible-vault edit filename.yml to modify encrypted files.
  • Use encrypted variables in playbooks: Reference them using {{ vault_var }} syntax.

For example, to encrypt a password and use it in a playbook:

ansible-vault encrypt_string 'your_password' --name 'admin_password'

This ensures that your sensitive data is protected, even if your playbooks are stored in a shared repository.

Best practices for Ansible Vault

Store your vault password in a secure location and avoid hardcoding it in scripts. Use tools like gpg or password managers to manage vault passwords securely.

Performing dry-run testing

Dry-run testing allows you to simulate playbook execution without making actual changes. This is crucial for testing and validating automation workflows. Use the --check flag to perform a dry run:

ansible-playbook playbook.yml --check

For example, to simulate configuring a Fortinet firewall policy:

- name: Configure firewall policy
  fortios_config:
    host: "{{ fortinet_host }}"
    username: "{{ fortinet_user }}"
    password: "{{ fortinet_password }}"
    config:
      firewall:
        policy:
          - name: Allow_HTTP
            srcintf: "port1"
            dstintf: "port2"
            action: accept

Dry-run testing helps identify potential issues before deploying changes in production.

Benefits of dry-run testing

It minimizes the risk of unintended changes, reduces downtime, and ensures compliance with organizational policies.

Automating multi-vendor network environments

Managing multi-vendor networks manually is time-consuming and error-prone. Ansible simplifies this process by providing vendor-agnostic modules and plugins. Here’s how to automate multi-vendor environments:

  • Use vendor-specific modules: Modules like ios_config for Cisco and fortios_config for Fortinet streamline configuration tasks.
  • Organize playbooks by vendor: Create separate playbooks or roles for each vendor to maintain clarity.
  • Leverage Ansible Galaxy: Use pre-built roles from Ansible Galaxy to accelerate development.

Below is a comparison of common modules for Cisco and Fortinet devices:

Task Cisco Module Fortinet Module
Configure VLAN ios_vlan fortios_vlan
Apply ACL ios_acl fortios_firewall_acl
Update routing table ios_static_route fortios_router_static

By adopting these practices, you can automate multi-vendor networks efficiently.

Frequently asked questions

What is Ansible Vault and why is it important?

Ansible Vault is a feature that allows you to encrypt sensitive data such as passwords and SSH keys. It ensures that your automation workflows remain secure, even when sharing playbooks.

Can Ansible manage multi-vendor network environments?

Yes, Ansible supports multi-vendor environments through vendor-specific modules. You can automate tasks across Cisco, Fortinet, Juniper, and other devices seamlessly.

What is idempotency in Ansible?

Idempotency ensures that running a playbook multiple times produces the same result without unintended changes. This is critical for reliability in network automation.

How does dry-run testing work in Ansible?

Dry-run testing simulates playbook execution without making actual changes. Use the --check flag to validate your automation workflows.

Conclusion

Automating multi-vendor network environments with Ansible playbooks is a game-changer for network engineers. By implementing secure SSH authentication, writing idempotent plays, managing variables with Ansible Vault, and performing dry-run testing, you can streamline operations and reduce errors. Whether you’re managing Cisco switches or Fortinet firewalls, Ansible provides the tools to automate your network efficiently. Ready to take your network automation to the next level? Start implementing these best practices today and experience the benefits firsthand.