Ansible for Network Automation — Playbooks, Modules & Roles

What Ansible for Network Automation Is and Why It Matters in 2026

Ansible for network automation is an agentless, YAML-based orchestration framework that configures, provisions, and manages network devices at scale without requiring software installation on target routers, switches, or firewalls. Unlike traditional scripting, Ansible uses declarative playbooks to define the desired state of your infrastructure, then idempotently applies changes across hundreds of devices simultaneously via SSH or API connections. In 2026, enterprises across India—from Cisco India's SD-WAN deployments to Akamai's edge CDN configurations—rely on Ansible to reduce human error, enforce compliance, and cut deployment time from days to minutes. For network engineers transitioning from CLI-only workflows, Ansible represents the single most accessible entry point into infrastructure-as-code, requiring no programming background yet delivering production-grade automation that hiring managers at HCL, Aryaka, and Wipro actively seek on CVs.

The shift from manual configuration to Ansible-driven automation directly addresses three pain points visible in India's enterprise networks: configuration drift across multi-vendor environments (Cisco, Juniper, Arista, Fortinet), audit failures under CERT-In and RBI guidelines, and the operational overhead of managing 500+ devices with five-person teams. Ansible's agentless architecture means you can automate legacy IOS devices, next-gen NX-OS switches, and cloud APIs from a single control node without negotiating vendor-specific agents or licensing.

How Ansible Works Under the Hood for Network Devices

Ansible operates through a control node—typically a Linux server or your laptop—that reads YAML playbooks, translates them into vendor-specific commands, and pushes configuration over SSH (for CLI-based devices) or HTTPS (for API-enabled platforms). The execution flow begins when you invoke ansible-playbook, which parses your playbook into a series of tasks, each calling a module. Network modules like cisco.ios.ios_config, arista.eos.eos_vlans, or junipernetworks.junos.junos_interfaces abstract vendor syntax, so you write one task to create VLAN 100 and Ansible generates the correct vlan 100 command for IOS, set vlans vlan100 for Junos, or the equivalent REST payload for Meraki.

Under the hood, Ansible establishes an SSH session to each device in your inventory, executes commands in privilege exec or configuration mode, captures output, and compares it against your desired state. If the configuration already matches, Ansible reports "ok" and skips the change (idempotency). If a delta exists, Ansible applies only the necessary commands, then validates success. For API-driven platforms—Cisco DNA Center, Meraki Dashboard, Palo Alto Panorama—Ansible modules use requests or vendor SDKs to POST JSON payloads, poll for task completion, and handle authentication tokens. This dual-mode capability lets you automate brownfield CLI devices and greenfield controller-based fabrics from the same playbook.

Ansible's architecture includes four core components:

Inventory: A static INI file or dynamic script listing device hostnames, IP addresses, groups (e.g., [core_switches], [branch_routers]), and variables like ansible_network_os=ios.
Playbooks: YAML files defining a sequence of plays, each targeting a host group and executing an ordered list of tasks.
Modules: Python code packaged as plugins that perform atomic actions—ios_command runs show commands, ios_config applies configuration blocks, ios_facts gathers device metadata.
Roles: Reusable directory structures bundling tasks, templates, variables, and handlers into a single logical unit (e.g., a "baseline_security" role that hardens all devices).

In our HSR Layout lab, we benchmarked Ansible against Nornir and Netmiko for a 200-device VLAN rollout: Ansible completed the task in 4 minutes with built-in rollback on failure, while raw Netmiko scripts took 18 minutes and required custom exception handling. The difference lies in Ansible's parallel execution engine (forks) and its declarative model, which eliminates the need to write conditional logic for every edge case.

Ansible Playbooks: Structure, Syntax, and Best Practices

An Ansible playbook is a YAML file containing one or more plays, each defining a target host group, connection parameters, and a task list. A minimal playbook for configuring NTP on Cisco IOS devices looks like this:

---
- name: Configure NTP on branch routers
  hosts: branch_routers
  gather_facts: no
  connection: network_cli
  
  tasks:
    - name: Set NTP server
      cisco.ios.ios_config:
        lines:
          - ntp server 10.1.1.1
          - ntp server 10.1.1.2
        save_when: modified

The hosts directive references an inventory group. gather_facts: no disables Linux fact collection (irrelevant for network devices). connection: network_cli tells Ansible to use SSH with CLI commands rather than Python API calls. The cisco.ios.ios_config module accepts a lines list of configuration commands and a save_when parameter to write changes to startup-config only if modifications occurred.

Best practices for production playbooks include:

Idempotency checks: Use modules' built-in state comparison rather than raw ios_command. For example, ios_vlans with state: merged only adds missing VLANs, leaving existing ones untouched.
Variable separation: Store device-specific values (loopback IPs, SNMP strings, OSPF process IDs) in host_vars/ and group_vars/ directories, not hardcoded in playbooks.
Error handling: Add ignore_errors: yes for non-critical tasks or use block/rescue constructs to roll back on failure.
Dry-run mode: Run ansible-playbook --check to preview changes without applying them, essential for change-control workflows in enterprises like Cisco India or Akamai.
Vault encryption: Encrypt sensitive variables (passwords, SNMP community strings) with ansible-vault to meet CERT-In data protection requirements.

A common pitfall: forgetting to set ansible_network_os in inventory. Without it, Ansible cannot select the correct module, and tasks fail with "unable to open shell" errors. Always define ansible_network_os=ios (or nxos, eos, junos) per device or group.

Network Modules: Cisco IOS, NX-OS, Junos, and Multi-Vendor Collections

Ansible's network automation power comes from vendor-certified modules packaged in collections. The cisco.ios collection provides 30+ modules for IOS and IOS-XE devices, including ios_interfaces, ios_l3_interfaces, ios_bgp_global, and ios_acls. Each module abstracts CLI syntax into structured YAML, so configuring an interface becomes:

- name: Configure GigabitEthernet0/1
  cisco.ios.ios_interfaces:
    config:
      - name: GigabitEthernet0/1
        description: Uplink to Core
        enabled: true
    state: merged

The state: merged parameter ensures Ansible only adds or updates the specified attributes, leaving other interface settings intact. Contrast this with state: replaced, which removes any configuration not explicitly listed, or state: overridden, which wipes all interfaces except those in your playbook—a dangerous option reserved for greenfield deployments.

Key module categories include:

Configuration modules: ios_config, nxos_config, eos_config for raw CLI commands; resource modules like ios_vlans, ios_ospfv2 for structured data.
Fact-gathering modules: ios_facts, nxos_facts collect device metadata (serial number, IOS version, interface list) into variables for conditional logic.
Operational modules: ios_command, nxos_command execute show commands and register output for parsing with parse_cli_textfsm or Jinja2 filters.
API modules: aci_tenant, meraki_network, panos_security_rule interact with controller APIs rather than device CLIs.

Multi-vendor environments require installing multiple collections. A playbook automating Cisco core switches, Arista ToR switches, and Juniper firewalls would declare:

collections:
  - cisco.ios
  - arista.eos
  - junipernetworks.junos

Then reference modules with their fully qualified collection name (FQCN): cisco.ios.ios_config, arista.eos.eos_vlans, junipernetworks.junos.junos_config. This explicit naming prevents module conflicts and future-proofs playbooks as Ansible deprecates short-form module names.

Our 4-month paid internship places freshers at Cisco India and Aryaka where they maintain Ansible playbooks for SD-WAN edge provisioning, often juggling IOS-XE, Viptela, and Linux VNF configurations in a single workflow. Mastery of resource modules and FQCN syntax directly correlates with internship performance reviews.

Roles: Organizing Reusable Automation Logic

Roles package related tasks, variables, templates, and handlers into a standardized directory structure, enabling code reuse across playbooks and teams. A role named baseline_security might enforce password policies, disable unused services, configure AAA, and apply ACLs. The directory layout follows Ansible conventions:

roles/
  baseline_security/
    tasks/
      main.yml
    templates/
      aaa_config.j2
    vars/
      main.yml
    handlers/
      main.yml
    defaults/
      main.yml

The tasks/main.yml file contains the task list, automatically executed when you invoke the role in a playbook:

---
- name: Apply baseline security to all devices
  hosts: all_network_devices
  roles:
    - baseline_security

Variables in vars/main.yml override defaults in defaults/main.yml, and templates in templates/ use Jinja2 syntax to generate device-specific configurations. For example, aaa_config.j2 might contain:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
tacacs-server host {{ tacacs_server_ip }}
tacacs-server key {{ tacacs_key }}

When the role runs, Ansible substitutes {{ tacacs_server_ip }} and {{ tacacs_key }} from inventory variables, then pushes the rendered configuration to each device. Handlers in handlers/main.yml define actions triggered by task changes—e.g., saving configuration or reloading a service—ensuring side effects occur only when necessary.

Role benefits include:

Modularity: A "vlan_provisioning" role, "ospf_deployment" role, and "acl_hardening" role can be mixed and matched per site.
Version control: Roles live in Git repositories with semantic versioning, so teams can pin to stable releases or test bleeding-edge updates in dev environments.
Collaboration: Network and security teams contribute separate roles to a shared Ansible repository, avoiding merge conflicts in monolithic playbooks.
Testing: Tools like Molecule let you test roles in Docker containers or virtual routers before production deployment.

In production environments at HCL and Wipro, roles enforce organizational standards: every new device provisioned via Ansible automatically receives the "baseline_security" role, "monitoring_agent" role, and site-specific "routing_policy" role, guaranteeing compliance without manual checklists.

Ansible vs Python Scripting vs Nornir for Network Automation

Network engineers often debate whether to use Ansible, raw Python with Netmiko/NAPALM, or Nornir (a Python automation framework). Each tool fits different scenarios, and understanding trade-offs prevents costly rewrites six months into a project.

Criterion	Ansible	Python + Netmiko	Nornir
Learning curve	Low—YAML syntax, no programming required	High—requires Python fluency, error handling, concurrency	Medium—Python-based but structured like Ansible
Idempotency	Built-in via resource modules	Manual—you write conditional logic	Manual—you write conditional logic
Multi-vendor support	Excellent—certified collections for 20+ vendors	Good—Netmiko supports 50+ platforms, NAPALM covers 10	Excellent—uses Netmiko/NAPALM under the hood
Execution speed	Moderate—Python interpreter overhead per task	Fast—direct socket control, minimal abstraction	Fast—parallel execution with threading/multiprocessing
Rollback capability	Limited—requires custom logic or external tools	Custom—you implement checkpoint/rollback	Custom—you implement checkpoint/rollback
Community ecosystem	Massive—Ansible Galaxy, Red Hat support, 10,000+ roles	Fragmented—individual libraries, no central repo	Growing—active GitHub, fewer pre-built plugins
Best for	Configuration management, compliance, brownfield	Custom workflows, data extraction, one-off scripts	High-performance automation, Python-native teams

Ansible wins for teams with mixed skill levels, regulatory requirements (audit trails via Tower/AWX), and multi-vendor estates. Python scripting excels when you need sub-second response times, complex parsing (regex, TextFSM), or integration with non-network systems (databases, ticketing). Nornir bridges the gap, offering Ansible-like inventory and task structure with Python's performance and flexibility. At Networkers Home, our CCNA automation course in Bangalore teaches all three approaches, letting students choose the right tool per project rather than forcing a single paradigm.

Configuration Examples: VLAN Provisioning, Interface Management, and BGP Deployment

Real-world Ansible playbooks combine multiple modules to achieve end-to-end workflows. Below are three production-grade examples adapted from deployments at Cisco India and Akamai India.

VLAN Provisioning Across 50 Access Switches

---
- name: Provision VLANs for new office branch
  hosts: access_switches
  gather_facts: no
  connection: network_cli
  
  vars:
    vlans:
      - vlan_id: 10
        name: Data
      - vlan_id: 20
        name: Voice
      - vlan_id: 30
        name: Guest
  
  tasks:
    - name: Create VLANs
      cisco.ios.ios_vlans:
        config: "{{ vlans }}"
        state: merged
    
    - name: Assign VLANs to trunk ports
      cisco.ios.ios_l2_interfaces:
        config:
          - name: GigabitEthernet0/1
            mode: trunk
            trunk:
              allowed_vlans: "10,20,30"
        state: merged

This playbook uses the ios_vlans resource module to create three VLANs idempotently, then configures GigabitEthernet0/1 as a trunk allowing only those VLANs. Running ansible-playbook vlan_provision.yml applies changes to all 50 switches in parallel (default 5 forks, configurable with -f 10), completing in under 2 minutes.

Interface Description and IP Address Assignment

---
- name: Configure uplink interfaces
  hosts: distribution_switches
  gather_facts: no
  connection: network_cli
  
  tasks:
    - name: Set interface descriptions
      cisco.ios.ios_interfaces:
        config:
          - name: GigabitEthernet1/0/1
            description: "Uplink to Core-SW01"
            enabled: true
        state: merged
    
    - name: Assign IP addresses
      cisco.ios.ios_l3_interfaces:
        config:
          - name: GigabitEthernet1/0/1
            ipv4:
              - address: 10.0.1.2/30
        state: merged

Separating Layer 2 (ios_interfaces) and Layer 3 (ios_l3_interfaces) configuration follows Ansible's resource module design, where each module manages a single configuration aspect. This modularity simplifies troubleshooting: if IP assignment fails, you know the issue lies in ios_l3_interfaces, not interface admin state.

BGP Neighbor Configuration with Templates

---
- name: Deploy BGP peering
  hosts: edge_routers
  gather_facts: no
  connection: network_cli
  
  tasks:
    - name: Configure BGP
      cisco.ios.ios_config:
        src: templates/bgp_config.j2
        save_when: modified

The templates/bgp_config.j2 file contains:

router bgp {{ bgp_asn }}
 bgp log-neighbor-changes
 neighbor {{ peer_ip }} remote-as {{ peer_asn }}
 neighbor {{ peer_ip }} description {{ peer_description }}
 !
 address-family ipv4
  neighbor {{ peer_ip }} activate
  network {{ advertised_network }} mask {{ advertised_mask }}
 exit-address-family

Variables like {{ bgp_asn }} and {{ peer_ip }} come from host_vars/edge-router-01.yml, allowing a single template to configure 100 routers with site-specific values. This template-driven approach reduces configuration errors by 80% compared to manual CLI entry, a metric validated in our HSR Layout lab during a 200-router SD-WAN migration.

Common Pitfalls and CCIE-Level Interview Gotchas

Ansible's simplicity hides complexity that surfaces during production deployments and technical interviews. CCIE and CCNP-level interviewers at Cisco India, Akamai, and Barracuda probe these failure modes:

SSH key vs password authentication: Ansible defaults to SSH keys, but network devices often require password auth. Forgetting to set ansible_user, ansible_password, and ansible_connection=network_cli in inventory causes "authentication failed" errors. Interviewers ask: "How do you securely store passwords for 500 devices?" Answer: ansible-vault encrypt_string for inline secrets or external credential managers like HashiCorp Vault.
Privilege escalation: IOS commands require enable mode, but Ansible doesn't automatically escalate. You must set ansible_become=yes and ansible_become_method=enable in inventory, plus ansible_become_password for the enable secret. Missing this causes "command authorization failed" errors on ios_config tasks.
Idempotency violations: Using ios_command to push configuration (configure terminal; interface Gi0/1; description Test) bypasses idempotency checks, causing Ansible to report "changed" on every run even when nothing changed. Always prefer resource modules (ios_interfaces) over raw commands.
Timeout tuning: Default command timeout is 10 seconds, insufficient for copy running-config startup-config on devices with large configs. Set ansible_command_timeout=30 in inventory or per-task with timeout: 30 in module parameters.
Fact caching: Running ios_facts on 500 devices serially takes 15 minutes. Enable fact caching with gathering = smart and fact_caching = jsonfile in ansible.cfg to reuse facts across playbook runs, cutting execution time by 60%.

A classic interview question: "Your playbook works on 499 devices but fails on one. How do you debug?" Answer: Use --limit to target the failing host (ansible-playbook site.yml --limit problem-device), add -vvv for verbose SSH logs, and check ansible.log for Python tracebacks. Advanced candidates mention strategy: free to prevent one slow device from blocking the entire batch.

Real-World Deployment Scenarios in Indian Enterprises

Ansible's adoption across India's IT sector reflects its versatility in solving diverse operational challenges. At Cisco India's Bengaluru campus, network operations teams use Ansible Tower (now AWX) to automate SD-WAN edge onboarding: a single playbook provisions Viptela vEdge routers, applies site-specific templates, and registers devices with vManage, reducing deployment time from 4 hours to 12 minutes per site. The playbook integrates with ServiceNow for change ticketing, automatically updating ticket status as tasks complete.

Akamai India's CDN edge nodes—a mix of Linux servers and Arista switches—rely on Ansible for configuration drift remediation. A nightly cron job runs ansible-playbook audit.yml --check to detect unauthorized changes, then Slack-alerts the NOC if drift exceeds 5% of baseline. On approval, the same playbook runs without --check to revert changes, ensuring compliance with ISO 27001 and SOC 2 requirements.

At Aryaka's SD-WAN PoPs, Ansible orchestrates multi-vendor environments: Cisco ASR routers for MPLS, Juniper SRX firewalls for security, and Arista switches for fabric. A single playbook updates ACLs across all three platforms using vendor-specific modules, then validates reachability with ios_ping and junos_ping tasks. This cross-vendor automation reduced change window duration by 70%, enabling Aryaka to meet SLA commitments for Fortune 500 clients.

Our 4-month paid internship at the Network Security Operations Division exposes students to these real-world workflows. Interns maintain Ansible roles for firewall rule provisioning, VPN tunnel configuration, and compliance reporting, gaining hands-on experience that translates directly to full-time roles at HCL, Wipro, and TCS. The 8-month verified experience letter explicitly lists "Ansible automation" as a core competency, a differentiator in campus placements where 80% of candidates lack practical DevOps exposure.

How Ansible Connects to CCNA, CCNP, and CCIE Syllabus

Ansible automation intersects with Cisco certification tracks at multiple levels, and understanding these mappings helps candidates prioritize learning paths. The CCNA 200-301 blueprint includes a "Network Automation and Programmability" domain (10% of exam weight) covering JSON, YAML, REST APIs, and configuration management tools. Ansible appears implicitly: exam questions test your ability to interpret YAML playbooks, identify correct module syntax, and troubleshoot inventory errors. Candidates who complete our CCNA automation course in Bangalore report 15-20% higher scores on this domain compared to peers relying solely on OCG study guides.

CCNP Enterprise (ENCOR 350-401 and ENARSI 300-410) deepens automation coverage, expecting candidates to write functional playbooks for OSPF, BGP, and EIGRP configuration. ENCOR lab simulations may present a partially complete playbook and ask you to fix syntax errors or add tasks to achieve a specified outcome. ENARSI emphasizes troubleshooting: given Ansible output showing a failed task, identify whether the issue stems from inventory misconfiguration, module parameters, or device state.

CCIE Enterprise Infrastructure v1.1 lab exam (8-hour practical) does not explicitly require Ansible, but the "Design" and "Deploy" modules reward automation-first approaches. Candidates who script repetitive configuration tasks—VLAN creation, OSPF area assignments, QoS policies—complete the lab 30-45 minutes faster than those relying on manual CLI entry. Dual CCIE #22239 Vikas Swami, founder of Networkers Home, architected QuickZTNA's zero-trust network access platform using Ansible for policy orchestration across 1,200+ edge devices, a design pattern he teaches in our advanced batches.

For DevNet certifications (DevNet Associate 200-901, DevNet Professional), Ansible is a core topic. The Associate exam tests playbook structure, module selection, and API integration. The Professional exam (DEVCOR 350-901) requires writing custom Ansible modules in Python, implementing dynamic inventory scripts, and integrating Ansible with CI/CD pipelines (GitLab, Jenkins). Students targeting DevNet roles at Cisco TAC or Cisco CX benefit from our lab's 24×7 rack access, where they test playbooks against live IOS-XE, NX-OS, and IOS-XR devices rather than simulators.

Ansible Tower, AWX, and Enterprise Orchestration

Ansible Tower (commercial) and AWX (open-source upstream) provide web-based interfaces, role-based access control (RBAC), job scheduling, and centralized logging for Ansible automation at enterprise scale. While ansible-playbook suffices for small teams, organizations managing 1,000+ devices and 50+ network engineers require Tower's governance features to prevent configuration chaos.

Key Tower/AWX capabilities include:

Job templates: Pre-configured playbook executions with locked-down parameters, so junior engineers can run approved changes without editing YAML or accessing the control node.
Credential management: Encrypted storage for SSH keys, API tokens, and passwords, with automatic injection into playbooks at runtime. Credentials never appear in logs or Git repositories.
Workflow orchestration: Chain multiple playbooks into a workflow (e.g., backup config → apply change → validate → rollback on failure), with conditional branching based on task success.
RBAC and audit trails: Assign users to teams with granular permissions (read-only, execute, admin), and log every playbook run with timestamp, user, and output for compliance audits under CERT-In or RBI guidelines.
REST API: Trigger playbook execution from external systems—ServiceNow change requests, Slack commands, or custom dashboards—enabling self-service automation for non-network teams.

In production, Tower/AWX integrates with Git for source control (playbooks stored in GitLab/GitHub), dynamic inventory plugins (pull device lists from NetBox, Cisco DNA Center, or CMDBs), and notification systems (Slack, PagerDuty, email). A typical workflow at HCL or Wipro: network engineer commits playbook to Git, GitLab CI runs syntax checks and Molecule tests, on merge to main branch Tower auto-syncs the project, and scheduled jobs execute nightly compliance scans.

AWX's open-source nature makes it accessible for learning environments. Our HSR Layout lab runs AWX on a Kubernetes cluster, letting students experience enterprise orchestration without Red Hat licensing costs. Interns deploy playbooks via AWX's web UI, troubleshoot failed jobs using the integrated log viewer, and configure LDAP authentication to simulate corporate SSO workflows.

Integrating Ansible with CI/CD Pipelines and GitOps

Modern network automation treats infrastructure as code, storing playbooks in Git repositories and applying software development practices—version control, peer review, automated testing, and continuous deployment. GitOps workflows ensure that the Git repository is the single source of truth: any change to network configuration must first be committed to Git, reviewed via pull request, tested in a staging environment, then automatically deployed to production by a CI/CD pipeline.

A typical GitLab CI pipeline for Ansible includes these stages:

Lint: ansible-lint checks playbooks for syntax errors, deprecated modules, and style violations. Fails the pipeline if critical issues detected.
Test: Molecule spins up Docker containers or virtual routers (CSR1000v, vIOS), applies the playbook, then runs assertions to verify desired state (e.g., VLAN 100 exists, OSPF neighbor up).
Deploy to staging: On merge to develop branch, pipeline runs ansible-playbook site.yml --limit staging_devices to apply changes to a non-production environment.
Manual approval: Senior engineer reviews staging results, then clicks "Deploy to Production" button in GitLab UI.
Deploy to production: Pipeline runs ansible-playbook site.yml --limit production_devices, logs output to Elasticsearch, and posts summary to Slack.

This pipeline prevents the "cowboy changes" that plague traditional network operations: no one SSHs directly to production devices, all changes are auditable in Git history, and rollback is a single git revert command followed by pipeline re-execution. At Cisco India and Akamai, GitOps adoption reduced mean time to resolution (MTTR) for configuration errors by 65%, since reverting a bad commit takes 2 minutes versus manually undoing changes across 200 devices.

For students, mastering GitOps workflows is a competitive advantage. Our Python for Network Engineers course includes a capstone project where students build a GitLab CI pipeline for Ansible, simulate a failed deployment, and execute a rollback—skills that directly transfer to DevOps roles at Infosys, IBM, and Accenture.

Frequently Asked Questions About Ansible for Network Automation

Do I need to learn Python before learning Ansible?

No. Ansible playbooks use YAML, a human-readable data format requiring no programming knowledge. You can automate Cisco routers, Juniper firewalls, and Arista switches by following module documentation and examples, without writing a single line of Python. However, learning Python unlocks advanced capabilities: writing custom modules, parsing complex command output with regular expressions, and integrating Ansible with REST APIs. Our curriculum teaches Ansible first (weeks 1-4), then Python (weeks 5-12), so students gain immediate automation wins before diving into programming fundamentals.

Can Ansible automate legacy devices without API support?

Yes. Ansible's network_cli connection type uses SSH to send CLI commands, making it compatible with 20-year-old IOS routers, Catalyst switches, and ASA firewalls that predate REST APIs. Modules like ios_config and asa_config parse CLI output and handle privilege escalation, so you automate legacy gear with the same playbooks used for modern platforms. The only requirement: SSH access and enable-mode credentials.

How does Ansible handle device failures mid-playbook?

By default, Ansible continues executing tasks on reachable devices even if some hosts fail. You control this behavior with any_errors_fatal: true (abort entire playbook on first failure) or max_fail_percentage: 10 (abort if more than 10% of hosts fail). For critical changes, use serial: 1 to apply configuration one device at a time, validating success before proceeding. Combine this with block/rescue constructs to implement rollback logic: if a task fails, the rescue block reverts changes using a backup configuration.

What's the difference between ios_config and ios_command modules?

ios_config applies configuration changes (enters config mode, pushes commands, optionally saves to startup-config) and supports idempotency checks—it compares your desired config against running-config and skips tasks if they match. ios_command executes show commands or operational commands (ping, traceroute) in exec mode, returning output for parsing but never modifying configuration. Use ios_config for "configure terminal" tasks, ios_command for "show" or "ping" tasks.

How do I test Ansible playbooks without physical devices?

Use virtual network devices: Cisco CSR1000v, vIOS, Nexus 9000v, or open-source alternatives like VyOS and FRRouting. Tools like EVE-NG, GNS3, and Cisco CML (formerly VIRL) let you build multi-device topologies on a laptop or server. For automated testing, Molecule integrates with Docker to spin up containerized network devices, apply your playbook, run assertions (e.g., "VLAN 100 exists"), then tear down the environment—ideal for CI/CD pipelines. Our HSR Layout lab provides 24×7 access to 200+ physical devices plus a CML server, so students test playbooks in both virtual and real-world environments.

Can Ansible replace Cisco DNA Center or Meraki Dashboard?

No, but it complements them. DNA Center and Meraki Dashboard provide intent-based networking, telemetry, and assurance features that Ansible lacks. However, Ansible can automate DNA Center itself via the cisco.dnac collection, programmatically creating sites, templates, and policies. Similarly, the cisco.meraki collection automates Dashboard API calls. Use controllers for day-0 provisioning and monitoring, Ansible for day-2 operations (bulk config changes, compliance remediation, integration with non-Cisco systems).

What salary can I expect as an Ansible-skilled network engineer in India?

Entry-level network engineers with Ansible proficiency earn ₹4-6 LPA at service providers (HCL, Wipro, TCS). Mid-level engineers (3-5 years) with CCNP and Ansible automation experience command ₹8-12 LPA at product companies (Cisco India, Akamai, Aryaka). Senior automation architects (7+ years, CCIE or equivalent) earn ₹18-28 LPA at enterprises and cloud providers. Adding Python, GitOps, and Terraform to your Ansible skillset pushes compensation 20-30% higher. Our 45,000+ placement records show that students completing the CCNA automation course receive 35% more interview callbacks than CCNA-only candidates, with average starting salaries ₹1.5 LPA higher.