Ansible Project: Network Security Audit 4 – Individual Device Commands

This is a test to get different commands added to different devices.
There are multiple methods to achieve this.
1. Use host_vars and set each var in the file. The task will pull the variables for the hosts. All need to be the same name
2. Set individual plays for set commands. This does make the playbook longer.

Playbook found in my GitHub

I will be using method 1 for this example. I have created the host_var directories in the inventory directory. Each host has a directory named the same as the name in the inventory.
In my case, they are IP addresses.


stef@stef-VirtualBox:~/Ansible_projects$ tree
.
├── inventory
│   ├── group_vars
│   │   └── all_devices
│   │       ├── all_devices.yml
│   │       └── vault
│   ├── host_vars
│   │   ├── 172.16.1.104
│   │   │   └── snmp.yaml
│   │   └── 172.16.1.125
│   │       └── snmp.yaml
│   └── router_switch_inv.ini
├── output
└── playbooks
    ├── pb1_mac_finder.yml
    ├── pb2_ip_finder2.yml
    ├── pb2_ip_finder.yml
    ├── pb3_securityaudit1.yml
    ├── pb3_securityaudit2.yml
    ├── pb4_securityaudit10_current-acl-yaml-creator.yml
    ├── pb4_securityaudit11_individual-device-commands.yml
    ├── pb4_securityaudit3.yml
    ├── pb4_securityaudit4.yml
    ├── pb4_securityaudit5.yml
    ├── pb4_securityaudit6.yml
    ├── pb4_securityaudit7.yml
    ├── pb4_securityaudit8.yml
    └── pb4_securityaudit9.yml

stef@stef-VirtualBox:~/Ansible_projects$ tree

├── inventory

│ ├── group_vars

│ │ └── all_devices

│ │ ├── all_devices.yml

│ │ └── vault

│ ├── host_vars

│ │ ├── 172.16.1.104

│ │ │ └── snmp.yaml

│ │ └── 172.16.1.125

│ │ └── snmp.yaml

│ └── router_switch_inv.ini

├── output

└── playbooks

├── pb1_mac_finder.yml

├── pb2_ip_finder2.yml

├── pb2_ip_finder.yml

├── pb3_securityaudit1.yml

├── pb3_securityaudit2.yml

├── pb4_securityaudit10_current-acl-yaml-creator.yml

├── pb4_securityaudit11_individual-device-commands.yml

├── pb4_securityaudit3.yml

├── pb4_securityaudit4.yml

├── pb4_securityaudit5.yml

├── pb4_securityaudit6.yml

├── pb4_securityaudit7.yml

├── pb4_securityaudit8.yml

└── pb4_securityaudit9.yml

Inside the snmp.yaml files, I have set a variable that is then referenced in the task. This is snmp_location


stef@stef-VirtualBox:~/Ansible_projects/inventory/host_vars$ cat 172.16.1.104/snmp.yaml 
snmp_location: snmp-server location LONDON

stef@stef-VirtualBox:~/Ansible_projects/inventory/host_vars$ cat 172.16.1.125/snmp.yaml 
snmp_location: snmp-server location PARIS

stef@stef-VirtualBox:~/Ansible_projects/inventory/host_vars$ cat 172.16.1.104/snmp.yaml

snmp_location: snmp-server location LONDON

stef@stef-VirtualBox:~/Ansible_projects/inventory/host_vars$ cat 172.16.1.125/snmp.yaml

snmp_location: snmp-server location PARIS

When running the task, the snmp_location variable is referenced in snmp.yaml.
This will put the individual commands to the different routers.


---

#### SNMP ####
- name: SNMP PLAY
  hosts: lab_core
  gather_facts: false
  connection: network_cli


  vars:
    snmp_string: snmp-server community COM_STRING RO

  tasks:
    - name: SNMP Location
      ios_config:
        lines:
          - "{{ snmp_location }}"
      register: post_snmp_output

    - name: Show Fixed SNMP Config
      ios_command:
        commands:
          - "show run | i snmp"
      register: post_snmp_output

    - name: New SNMP
      debug:
        var: post_snmp_output.stdout_lines
      when: post_snmp_output.stdout_lines is defined

---

#### SNMP ####

- name: SNMP PLAY

hosts: lab_core

gather_facts: false

connection: network_cli

vars:

snmp_string: snmp-server community COM_STRING RO

tasks:

- name: SNMP Location

ios_config:

lines:

- "{{ snmp_location }}"

- name: Show Fixed SNMP Config

ios_command:

commands:

- "show run | i snmp"

- name: New SNMP

debug:

var: post_snmp_output.stdout_lines

when: post_snmp_output.stdout_lines is defined


stef@stef-VirtualBox:~/Ansible_projects$ ansible-playbook -c paramiko playbooks/pb4_securityaudit11_individual-device-commands.yml --ask-vault-pass
Vault password: 

PLAY [SNMP PLAY] ********************************************************************************************************************************************************************

TASK [SNMP Location] ****************************************************************************************************************************************************************
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
[WARNING]: To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device
changed: [172.16.1.104]
changed: [172.16.1.125]

TASK [Show Fixed SNMP Config] *******************************************************************************************************************************************************
ok: [172.16.1.104]
ok: [172.16.1.125]

TASK [New SNMP] *********************************************************************************************************************************************************************
ok: [172.16.1.104] => {
    "post_snmp_output.stdout_lines": [
        [
            "snmp-server community COM_STRING RO",
            "snmp-server location LONDON"
        ]
    ]
}
ok: [172.16.1.125] => {
    "post_snmp_output.stdout_lines": [
        [
            "snmp-server community COM_STRING RO",
            "snmp-server location PARIS"
        ]
    ]
}

PLAY RECAP **************************************************************************************************************************************************************************
172.16.1.104               : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
172.16.1.125               : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

stef@stef-VirtualBox:~/Ansible_projects$ ansible-playbook -c paramiko playbooks/pb4_securityaudit11_individual-device-commands.yml --ask-vault-pass

Vault password:

PLAY [SNMP PLAY] ********************************************************************************************************************************************************************

TASK [SNMP Location] ****************************************************************************************************************************************************************

[WARNING]: ansible-pylibssh not installed, falling back to paramiko

[WARNING]: To ensure idempotency and correct diff the input configuration lines should be similar to how they appear if present in the running configuration on device

changed: [172.16.1.104]

changed: [172.16.1.125]

TASK [Show Fixed SNMP Config] *******************************************************************************************************************************************************

ok: [172.16.1.104]

ok: [172.16.1.125]

TASK [New SNMP] *********************************************************************************************************************************************************************

ok: [172.16.1.104] => {

"post_snmp_output.stdout_lines": [

[

"snmp-server community COM_STRING RO",

"snmp-server location LONDON"

]

}

ok: [172.16.1.125] => {

"post_snmp_output.stdout_lines": [

[

"snmp-server community COM_STRING RO",

"snmp-server location PARIS"

]

}

PLAY RECAP **************************************************************************************************************************************************************************

172.16.1.104 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

172.16.1.125 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Leave a Comment Cancel Reply