Environment variables for network devices

Very often, the complexity of networks is high and the network systems are very varied. For those reasons, Ansible has a huge amount of variables that can help you tweak it so that you can make Ansible fit your environment.

Let's suppose you have two different networks (that is, one for computing and one for network devices) that can't communicate directly, but have to pass through a bastion host to reach one from the other. Since we have Ansible in the computing network, we will need to jump networks using the bastion host to configure an IOS router in the management network. Also, our target switch needs a proxy to reach the internet.

To connect to the IOS router in the database network, we will need to create a new group for our network devices, which are on a separate network. For this example, this might be specified as follows:

[bastion_routers]
n1.example.com
n2.example.com

[bastion_cumulusvx]
vx01.example.com

Following the creation of our updated inventory, we can create a new group variables file, such as group_vars/bastion_routers.yaml, with the following content:

---
ansible_connection: network_cli
ansible_network_os: ios
ansible_become: True
ansible_become_method: enable
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion.example.com"'
proxy_env:
    http_proxy: http://proxy.example.com:8080

We can also do the same for our Cumulus VX switches if they are behind a bastion server by creating a group_vars/bastion_cumulusvx.yml file:

---
ansible_user: cumulus
ansible_become: false
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion.example.com"'
proxy_env:
    http_proxy: http://proxy.example.com:8080

In addition to the options we discussed in the previous section, we now have two additional options:

  • ansible_ssh_common_args: This is a very powerful option that allows us to add additional options to the SSH connections so that we can tweak their behavior. These options should be fairly straightforward to identify since you are already using them in your SSH configurations to simply SSH to the target machine. In this specific case, we are adding a ProxyCommand, which is the SSH directive to perform a jump to a host (usually a bastion host) so that we can enter the target host securely.
  • http_proxy: This option, which is below the proxy_env option, is key in environments where network isolation is strong, and therefore your machines can't interact with the internet unless they use a proxy.

Assuming you have set up passwordless (for example, SSH key-based) access to your bastion host, you should be able to run an ad hoc Ansible ping command against your Cumulus VX host, as follows:

$ ansible -i hosts -m ping -u cumulus --ask-pass bastion_cumulusvx
SSH password:

vx01.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

Note that the use of the bastion server becomes transparent – you can carry on automating with Ansible as if you were on the same flat network. If you have access to a Cisco IOS-based device, you should be able to run a similar command against the bastion_routers group as well and achieve similarly positive results. Now that you have learned the necessary steps to set environment variables for network devices, and indeed access them with Ansible, even when they are on isolated networks, let's learn how to set conditional statements for networking devices.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset