AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Cisco IOS XE 17.15 Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: security-compliance

Automate Cisco IOS XE 17.15 routers and switches with Ansible: cisco.ios collection, NETCONF/RESTCONF, configuration backup, drift, OSPF, VLAN, hardening.

Cisco IOS XE 17.15 (the current 17.x train) runs on Catalyst 9000 switches, ASR/ISR routers, and Cloud Catalyst. Ansible's cisco.ios collection (≥ 9.0) plus NETCONF/RESTCONF transports drive day-0 provisioning, config backups, drift detection, OSPF/BGP routing, VLAN trunks, and security hardening. This is the master Ansible guide for IOS XE 17.15.

IOS XE 17.15 release facts

| Item | Value | |---|---| | Release | 2024-09 (17.15.1) | | Train | 17.x (Cisco recommended for new deployments) | | Programmability | NETCONF, RESTCONF, gNMI, YANG | | Platforms | Catalyst 9000, ISR, ASR, Cloud Catalyst |

See also: Ansible on Cisco NX-OS 10.4 Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS with cisco.ios >= 9.0 and ansible.netcommon >= 6.1.

Inventory

[ios_xe]
core01 ansible_host=10.0.0.1
core02 ansible_host=10.0.0.2

[ios_xe:vars]
ansible_network_os=cisco.ios.ios
ansible_connection=network_cli
ansible_user=netadmin
ansible_password='{{ vault_netadmin_password }}'
ansible_become=yes
ansible_become_method=enable

For NETCONF use:

[ios_xe_netconf:vars]
ansible_connection=ansible.netcommon.netconf
ansible_network_os=cisco.ios.ios

See also: Ansible on Juniper Junos OS 24 Automation Complete Guide

Configuration backup and diff

- name: Backup IOS XE running-config
  hosts: ios_xe
  gather_facts: false
  tasks:
    - name: Get running config
      cisco.ios.ios_config:
        backup: true
        backup_options:
          dir_path: ./backups
          filename: "{{ inventory_hostname }}-{{ ansible_date_time.iso8601_basic_short }}.cfg"

OSPF baseline

- name: Configure OSPF on IOS XE 17.15
  hosts: ios_xe
  gather_facts: false
  tasks:
    - name: OSPF process 1
      cisco.ios.ios_ospfv2:
        config:
          processes:
            - process_id: 1
              router_id: "{{ ospf_rid }}"
              areas:
                - area_id: '0'
                  network:
                    - ip: 10.0.0.0
                      wildcard_bits: 0.0.0.255
                      area: '0'
        state: merged

See also: AAP 2.6 Network Automation: Cisco, Arista, Juniper, and Multi-Vendor Management

VLAN and trunk

- name: VLANs on Catalyst
  hosts: ios_xe
  gather_facts: false
  tasks:
    - name: Define VLANs
      cisco.ios.ios_vlans:
        config:
          - name: USERS
            vlan_id: 10
            state: active
          - name: VOICE
            vlan_id: 20
            state: active
        state: merged

- name: Trunk on Gi1/0/1
      cisco.ios.ios_l2_interfaces:
        config:
          - name: GigabitEthernet1/0/1
            mode: trunk
            trunk:
              allowed_vlans:
                - 10
                - 20
              native_vlan: 999
        state: merged

Interface hardening

- name: Lock down access ports
  hosts: ios_xe
  gather_facts: false
  tasks:
    - name: Port security on access ports
      cisco.ios.ios_config:
        parents: "interface range GigabitEthernet1/0/2 - 24"
        lines:
          - switchport mode access
          - switchport access vlan 10
          - switchport port-security
          - switchport port-security maximum 2
          - switchport port-security violation restrict
          - spanning-tree portfast
          - spanning-tree bpduguard enable

Drift detection

- name: Drift check
  hosts: ios_xe
  gather_facts: false
  tasks:
    - name: Compare against intended template
      cisco.ios.ios_config:
        src: "templates/{{ inventory_hostname }}.j2"
        diff_against: intended
        intended_config: "{{ lookup('ansible.builtin.file', 'templates/' ~ inventory_hostname ~ '.j2') }}"
      register: drift

- name: Fail on drift
      ansible.builtin.fail:
        msg: "Drift detected on {{ inventory_hostname }}"
      when: drift.diff is defined and drift.diff != ''

Best practices

• Prefer resource modules (ios_ospfv2, ios_vlans, ios_l2_interfaces) over ios_config lines for declarative state. • Use NETCONF + YANG for programmatic state on 17.x — it's far more reliable than CLI scraping. • Always run cisco.ios.ios_config with backup: true in CI to capture pre-change state. • Schedule drift detection as a daily AAP job and report into Slack/Teams.

Conclusion

IOS XE 17.15 + Ansible turns a manually-managed Cisco fabric into infrastructure-as-code. Combine the cisco.ios resource modules with NETCONF transport and AAP for drift, audit, and rollback at scale.

Category: security-compliance

Browse all Ansible tutorials · AnsiblePilot Home