This is a simple example of how to setup Ansible Tower to automate a Cisco IOS Router. This post is written from a network engineer's perspective.

NOTE: Only tested with Ansible Tower 3.1.3 which uses Ansible 2.3 at the time this post was written


The example setup was done in GNS3 using the Cisco ViRL IOS image and a RHEL 7.3 VM with a valid subscription(license). Details of how this was done will be discussed in a future blog post.

enter image description here

Installing Ansible Tower

Follow the Ansible Tower installation steps. This demo uses the default account of admin.

Create a Test Playbook.

A test playbook called test-network-automation can be found on Github. It contains one playbook called test.yml, that runs show version on the IOS router.


- hosts: switches
  connection: local
      host: ""
      username: ""
      password: ""

      - name: run show version
          commands: "show version"
          provider: ""
        register: show_version

      - name: print the show version output
        debug: var=show_version

Configure the switch.

Here is the relevant IOS configuration

ip domain-name linuxsimba.local

!--- Generate an SSH key to be used with SSH.

crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
username ansible privilege 15 password 0 1q2w3e4r5t!
rtr01#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa

Ansible Tower Configuration Workflow

The Ansible Tower setup to configure network automation can be summarized in the following flow chart

Created with Raphaƫl 2.1.2StartCreate a ProjectConfigure an Empty Machine CredentialCreate an InventoryCreate a Host GroupAdd a host to the Host GroupCreate a Job TemplateRun the Job Template

Configure a Project

Add the test playbook into the Tower database. This is done by creating a Project

enter image description here

Configure an Empty Machine Credential

Because the connection made to the IOS device is made via a proxy connection on the Ansible tower server, all one has to do is create an empty machine credential. That is, just give the credential a name. For this example, because Ansible Vault is used , the Vault password is filled out. The Vault Password is tower. It is good practise to encrypt your network authentication. Tower does provide a feature called Network Credentials but it will not be covered on this post. The method of encrypting network authentication information within the playbook was preferred.

enter image description here

Create an Inventory

An inventory is a database of hosts and grouping of hosts that are referenced in the playbook. In the test playbook, the host group called switches is referenced. Tower will host this database so that the playbook just references it.

enter image description here

Create a Host Group

This step creates the switches host group. Hosts added with this group will execute the show version action in the tasks list of the text playbook.

enter image description here

Add Hosts to the Host Group

Only 1 network device is listed in this demo. It is called switch01 and its IP is Note that the IP is defined in the variable ansible_host.

enter image description here

Create a Job Template

Create a object called a Job template. This brings together all the information entered before. For a network automation job, one creates a job template with an empty machine credential, a reference to a playbook. This playbook uses the local connection type, connection: local. Network authentication is set within the playbook and not in Tower using what Ansible Core (CLI) calls a network provider. In this case the provider is a variable hash called cli.

enter image description here

Run the Job Template

Finally run the job template. This creates what Tower calls a Job. Below are the results of executing the job.

enter image description here

enter image description here


Written with StackEdit.