SkarpSkarp

Chapter 24 of 27

Network Automation Tools: Ansible, Terraform, and Model-Driven Management

Survey the automation ecosystem to understand where tools like Ansible and Terraform fit and what CCNA expects you to recognize about them.

27 min readen

Where Automation Fits in Modern Networking

From CLI to Automation

Automation tools sit on top of APIs, JSON, REST, and SDN. Instead of typing CLI on each device, you describe the desired network state in files and let software apply it.

Infrastructure as Code

Infrastructure as Code (IaC) means treating network and cloud setup like software: you store configs in files, version them, review them, and apply them repeatably.

Two Tool Categories

1) Configuration automation/orchestration (Ansible) pushes config to existing devices. 2) Provisioning/IaC (Terraform) creates and manages resources via provider APIs.

Model-Driven Programmability

Vendors describe device capabilities using data models like YANG, used by NETCONF and RESTCONF. Tools can rely on these models to configure and monitor devices.

CCNA Expectations

For CCNA, you mainly need high-level understanding: what these tools do, how they fit with controllers and APIs, and typical use cases where they save time and reduce errors.

Ansible Basics for Network Automation

What Is Ansible?

Ansible is an open-source, agentless automation tool. It connects to network devices over SSH or APIs, then sends configuration or commands without installing agents on the devices.

Control and Managed Nodes

You run Ansible from a control node (often a Linux VM). The devices you automate are managed nodes: switches, routers, firewalls, or servers defined in an inventory file.

Inventory and Modules

The inventory lists devices and connection details. Modules are reusable building blocks that do tasks like configuring interfaces, VLANs, or BGP on specific platforms.

Playbooks in YAML

A playbook is a YAML file describing a sequence of tasks. Each task calls a module. Think of a playbook as a checklist that Ansible follows across many devices at once.

Idempotence and CCNA Angle

Ansible aims for idempotent changes: run the same playbook twice, and the network state stays correct. For CCNA, know it uses YAML, modules, and inventories to standardize configs.

Reading a Simple Ansible Network Playbook

Let’s look at a small, CCNA-level Ansible playbook for Cisco IOS XE. You do not need to memorize syntax, but you should be able to read this and explain the intent.

```yaml

---

  • name: Configure basic settings on access switches

hosts: access_switches

connection: network_cli

gather_facts: no

tasks:

  • name: Ensure VLAN 10 exists

cisco.ios.ios_vlan:

vlan_id: 10

name: USERS

state: present

  • name: Set interface descriptions on access ports

cisco.ios.ios_interface:

name: "GigabitEthernet1/0/{{ item.port }}"

description: "User Port {{ item.port }}"

enabled: true

loop:

  • { port: 1 }
  • { port: 2 }
  • { port: 3 }

```

How to read this at exam level:

  • `hosts: accessswitches` means this play runs on all devices in the `accessswitches` inventory group.
  • `connection: network_cli` tells Ansible to use CLI over SSH, which is common for IOS XE.
  • The first task uses the `ios_vlan` module to ensure VLAN 10 named USERS exists. If VLAN 10 is already present with that name, no change is made.
  • The second task uses the `ios_interface` module in a loop to configure multiple interfaces with consistent descriptions.

This example shows two important automation ideas:

  1. Consistency: All access switches get the same VLAN and interface description pattern.
  2. Scale: A single playbook can configure dozens of switches, avoiding manual per-device CLI.

Terraform Basics and How It Differs from Ansible

What Is Terraform?

Terraform is an Infrastructure as Code tool focused on provisioning. You write configuration files that describe resources, and Terraform creates, changes, or deletes them via APIs.

Providers and Resources

Providers are plugins that talk to platforms like AWS, Azure, or Cisco SD-WAN. Resources are the actual objects: VPCs, subnets, VPNs, firewalls, and other network components.

State and Declarative Config

Terraform tracks a state file to remember what it created. You declare the desired end state in HCL; Terraform computes a plan to align reality with that configuration.

Terraform vs Ansible

Ansible is task-oriented and great for configuring existing devices. Terraform is declarative and stateful, ideal for creating and managing cloud and virtual network resources.

CCNA-Level Recognition

For CCNA, know that Terraform uses HCL, providers, and state to manage the lifecycle of infrastructure, especially in cloud or SDN-driven environments.

Reading a Simple Terraform Network Configuration

Here is a simplified Terraform example for a cloud virtual network. You are not expected to write HCL on the CCNA exam, but you should be able to read the intent.

```hcl

terraform {

required_providers {

aws = {

source = "hashicorp/aws"

version = "~> 5.0"

}

}

}

provider "aws" {

region = "us-east-1"

}

resource "aws_vpc" "main" {

cidr_block = "10.0.0.0/16"

}

resource "aws_subnet" "public" {

vpcid = awsvpc.main.id

cidr_block = "10.0.1.0/24"

mappubliciponlaunch = true

}

```

How to read this:

  • The `terraform` block declares that this configuration uses the AWS provider.
  • The `provider "aws"` block sets settings for that provider (region, credentials in real life).
  • `resource "aws_vpc" "main"` defines a VPC with CIDR 10.0.0.0/16.
  • `resource "aws_subnet" "public"` creates a subnet in that VPC with CIDR 10.0.1.0/24.

From a network engineer’s perspective, this is similar to drawing a simple IP design, but encoded as code. Terraform will:

  1. Call AWS APIs to create the VPC and subnet.
  2. Store their IDs in the state file.
  3. On later runs, compare any changes in the HCL file to what already exists and generate a plan.

Conceptually, replace "AWS" with "Cisco SD-WAN" or "Cisco ACI" and the idea is the same: describe the desired topology and let the platform’s API and Terraform handle the heavy lifting.

Model-Driven Programmability and YANG

Why Models?

Model-driven programmability describes device capabilities using structured data models instead of only CLI. This makes automation more predictable and less error-prone.

What Is YANG?

YANG is a data modeling language for defining configuration and operational data on network devices: interfaces, routing, ACLs, and more, with strict structure and types.

NETCONF and RESTCONF

Protocols like NETCONF and RESTCONF use YANG models so tools can read and write config as structured data, not raw CLI text. This is key for reliable automation.

CCNA-Level Understanding

Know that YANG is central to model-driven programmability, and that controllers and tools rely on YANG models to send valid, consistent configuration to devices.

Putting It Together: Automation Use Cases

Use Case: Branch Standardization

Ansible playbooks can enforce standard VLANs, baseline security, and consistent interface descriptions across all branch routers and switches, reducing manual CLI errors.

Use Case: Multi-Cloud Networking

Terraform uses cloud providers to define VPCs, subnets, and VPNs in code, so your multi-cloud network design is reproducible and version-controlled.

Use Case: Telemetry via Models

Controllers using YANG, NETCONF, and RESTCONF can subscribe to interface and BGP telemetry and push templates, giving centralized, model-driven visibility and control.

Choosing the Right Tool

Think: Ansible for configuring existing devices, Terraform for provisioning infrastructure, and model-driven APIs for structured, scalable management and monitoring.

Thought Exercise: Match the Tool to the Task

Work through these scenarios mentally and decide which technology best fits. There are no absolute right or wrong answers in real life, but at CCNA level, some matches are more natural.

  1. Scenario A: You need to push a standard SNMP, NTP, and logging configuration to 150 existing Cisco IOS XE routers that are already deployed.
  • Which fits best: Ansible, Terraform, or YANG/NETCONF directly?
  • Why?
  1. Scenario B: Your company is expanding into a new region using a cloud provider. You need to build a new virtual network, multiple subnets, and a site-to-site VPN to HQ, and you want to be able to recreate this environment for testing.
  • Which fits best: Ansible, Terraform, or manual CLI in the cloud console?
  • Why?
  1. Scenario C: Operations wants near real-time monitoring of interface errors and BFD status from 300 routers, without polling each device individually via CLI scripts.
  • Which fits best: SNMP-only, model-driven telemetry using YANG/NETCONF/RESTCONF, or Ansible playbooks scheduled via cron?
  • Why?

Pause and actually answer these before you move on. Then compare with this reasoning:

  • Scenario A: Ansible is a strong fit; it is designed to configure many existing devices in parallel using playbooks and modules.
  • Scenario B: Terraform is ideal; it provisions cloud resources declaratively and can recreate environments easily.
  • Scenario C: Model-driven telemetry using YANG-based APIs and a controller is usually better than running periodic Ansible jobs for monitoring.

Quiz 1: Ansible and Terraform Concepts

Check your understanding of the high-level differences between Ansible and Terraform.

Which statement best describes how Terraform differs from Ansible in common network automation workflows?

  1. Terraform is primarily used to provision and manage infrastructure resources declaratively using providers and state, while Ansible is often used to configure existing devices using task-based playbooks.
  2. Terraform uses SSH to log into devices and push CLI commands line by line, while Ansible only works with cloud APIs.
  3. Terraform requires agents to be installed on all network devices, while Ansible is fully agentless.
  4. Terraform is a Cisco-proprietary tool for configuring IOS XE devices, while Ansible is an open-source tool limited to Linux servers.
Show Answer

Answer: A) Terraform is primarily used to provision and manage infrastructure resources declaratively using providers and state, while Ansible is often used to configure existing devices using task-based playbooks.

Terraform focuses on Infrastructure as Code for provisioning and lifecycle management using providers and a state file. Ansible is typically used for task-based configuration of existing devices via SSH or APIs. Terraform does not log in line by line over SSH, and neither tool is Cisco-proprietary or limited to servers.

Quiz 2: Model-Driven Programmability and YANG

Test your understanding of model-driven management concepts.

At a CCNA level, what is the most accurate description of YANG in the context of network automation?

  1. YANG is a command-line syntax used by Cisco IOS XE to define new show commands.
  2. YANG is a data modeling language used to describe the structure of configuration and operational data, which is accessed via protocols like NETCONF and RESTCONF.
  3. YANG is a proprietary REST API from Cisco used only in SD-WAN environments.
  4. YANG is a replacement for JSON that is used directly on the wire between clients and controllers.
Show Answer

Answer: B) YANG is a data modeling language used to describe the structure of configuration and operational data, which is accessed via protocols like NETCONF and RESTCONF.

YANG is a data modeling language that defines how configuration and operational data are structured. Protocols like NETCONF and RESTCONF use YANG models so that tools can interact with devices in a model-driven, structured way. It is not a CLI syntax or a proprietary Cisco-only feature.

Key Term Review: Automation Tools and Models

Flip through these cards to reinforce the main concepts from this module.

Ansible (at a high level)
An agentless automation tool that connects to devices over SSH or APIs and uses YAML playbooks and modules to configure many devices consistently and in parallel.
Terraform (at a high level)
An Infrastructure as Code tool that uses declarative HCL configuration, providers, and a state file to provision and manage the lifecycle of infrastructure resources such as networks, subnets, and gateways.
Playbook (Ansible)
A YAML file that defines one or more plays, each containing tasks that call modules to perform configuration or operational actions on groups of devices.
Inventory (Ansible)
A file or data source that lists managed devices (hosts), often grouped by role or location, along with connection parameters used by Ansible.
Provider (Terraform)
A plugin that knows how to communicate with a specific platform or API, such as AWS, Azure, or Cisco SD-WAN, and exposes resources that Terraform can manage.
Resource (Terraform)
A specific infrastructure object managed by Terraform, such as a virtual network, subnet, VPN gateway, or firewall rule, defined in HCL configuration.
Infrastructure as Code (IaC)
An approach where infrastructure configuration is defined in machine-readable files, version-controlled, and applied automatically, rather than configured manually via GUI or CLI.
Model-driven programmability
A management approach where device capabilities and data are defined by formal models (such as YANG), enabling structured configuration and telemetry via protocols like NETCONF and RESTCONF.
YANG
A data modeling language used to define the structure of configuration and operational data on network devices, forming the basis for model-driven APIs such as NETCONF and RESTCONF.
Idempotent change
A property of automation tasks where running the same operation multiple times results in the same final state, without unintended duplicate or conflicting configurations.

Key Terms

YANG
A data modeling language used to define the structure of configuration and operational data on network devices, forming the basis for model-driven APIs such as NETCONF and RESTCONF.
Ansible
An agentless automation tool that connects to devices over SSH or APIs and uses YAML playbooks and modules to configure many devices consistently and in parallel.
NETCONF
A network management protocol that uses XML and YANG models to install, manipulate, and delete configuration data on network devices in a structured way.
Playbook
In Ansible, a YAML file that defines one or more plays, each containing tasks that call modules to perform configuration or operational actions on groups of devices.
Provider
In Terraform, a plugin that knows how to communicate with a specific platform or API and exposes resources that Terraform can manage.
RESTCONF
A REST-based protocol that uses HTTP, JSON or XML, and YANG models to provide programmatic access to configuration and operational data on network devices.
Resource
In Terraform, a specific infrastructure object managed by Terraform, such as a virtual network, subnet, VPN gateway, or firewall rule, defined in configuration.
Inventory
In Ansible, a file or data source that lists managed devices (hosts), often grouped by role or location, along with connection parameters.
Terraform
An Infrastructure as Code tool that uses declarative HCL configuration, providers, and a state file to provision and manage the lifecycle of infrastructure resources such as networks, subnets, and gateways.
Idempotent
Describes an operation that can be performed multiple times and still produce the same final result, a key property of reliable automation tasks.
State (Terraform)
Terraform’s record of the resources it manages and their attributes, used to compare desired configuration with actual infrastructure and generate plans.
Infrastructure as Code (IaC)
An approach where infrastructure configuration is defined in machine-readable files, version-controlled, and applied automatically, rather than configured manually via GUI or CLI.
Model-driven programmability
A management approach where device capabilities and data are defined by formal models, enabling structured configuration and telemetry via model-aware protocols.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself