The integration of the Network Configuration Protocol (NETCONF) within the Ansible ecosystem represents a paradigm shift from traditional screen-scraping and Command Line Interface (CLI) automation toward a structured, model-driven architectural approach. At its core, NETCONF, as defined by RFC 6241, is designed to provide a mechanism for installing, manipulating, and deleting configurations of network devices. Unlike the legacy approach of sending raw text strings to a device and parsing the resulting output—which is often fragile and prone to failure when a vendor changes a single space in a command—NETCONF utilizes XML for data encoding and SSH as its secure transport layer. This ensures that the communication between the Ansible controller and the network device is both standardized and secure.
Within the Ansible environment, the ansible.netcommon collection serves as the foundational layer for these interactions. This collection is specifically engineered to provide a common set of tools, connection plugins, and modules that are agnostic to the specific network operating system, allowing for a unified method of interacting with any device that supports the NETCONF standard. By utilizing the ansible.netcommon.netconf connection plugin, Ansible establishes a persistent session that allows for complex operations such as candidate datastore management and configuration locking, which are fundamentally impossible using standard CLI-based modules.
The power of this framework lies in its adherence to YANG (Yet Another Tool for the Annotated Generation of) data models. YANG provides the structural definition of the data, while NETCONF provides the protocol to move that data. When an administrator uses the netconf_config module, they are not merely sending commands; they are manipulating a structured XML payload that corresponds to a YANG model. This removes the ambiguity of CLI syntax and replaces it with a rigorous, machine-readable schema that guarantees the device understands the exact intent of the configuration change.
The Architecture of the ansible.netcommon Collection
The ansible.netcommon collection is a Red Hat Ansible Certified Content package, meaning it undergoes rigorous testing and is entitled to official support through the Ansible Automation Platform (AAP). This certification ensures that the plugins and modules are stable and compatible with the target Ansible versions, specifically those versioned 2.16.0 and above. The collection acts as a dependency for many device-specific collections, providing the underlying machinery required for high-level network automation.
The collection is distributed via Ansible Galaxy and can be installed through the command line using the following operation:
ansible-galaxy collection install ansible.netcommon
For enterprise environments where version control and reproducibility are critical, the collection is typically managed via a requirements.yml file. This allows DevOps engineers to define the exact collection and version required for a project, ensuring that every member of the team is using the same toolset. The format for this file is as follows:
```yaml
collections:
- name: ansible.netcommon
```
The installation from the requirements file is executed with the command:
ansible-galaxy collection install -r requirements.yml
Comprehensive Analysis of Connection Plugins
Connection plugins in Ansible determine how the controller communicates with the target node. The ansible.netcommon collection provides a diverse array of plugins to accommodate different device capabilities and protocol requirements.
| Plugin Name | Primary Function and Technical Description |
|---|---|
ansible.netcommon.netconf |
Establishes a persistent connection using the NETCONF protocol for model-driven automation. |
ansible.netcommon.network_cli |
Uses the standard SSH-based CLI interaction for legacy or non-NETCONF devices. |
ansible.netcommon.httpapi |
Utilizes HTTP-based APIs to execute commands on modern network appliances. |
ansible.netcommon.grpc |
Provides a high-performance, persistent connection using the gRPC protocol. |
ansible.netcommon.persistent |
Utilizes a persistent Unix socket to reduce the overhead of repeated SSH handshakes. |
ansible.netcommon.restconf |
An HttpApi plugin specifically tailored for devices supporting the RESTCONF API. |
ansible.netcommon.libssh |
Executes tasks using the libssh library for specific SSH connection requirements. |
ansible.netcommon.default |
A general-purpose cliconf plugin used for new or generic platforms. |
The use of the ansible.netcommon.netconf plugin is critical when the objective is to move beyond simple command execution. Because it maintains a persistent session, it significantly reduces the latency associated with opening and closing SSH connections for every single task in a playbook, which is a common bottleneck in large-scale network deployments.
Deep Dive into NETCONF Specific Modules
The ansible.netcommon collection provides a suite of modules designed to interact with NETCONF-enabled devices. While platform-specific modules (such as those for Cisco NX-OS or Juniper Junos) offer a simplified abstraction, the netconf modules provide raw, granular control over the device's configuration datastores.
The netconf_config Module
The netconf_config module is the primary interface for applying configuration changes. Unlike ios_config or junos_config, which abstract the underlying protocol, netconf_config allows the user to work directly with XML payloads.
This direct interaction is essential for accessing advanced NETCONF features:
- Candidate Datastore Operations: Users can push configurations to a "candidate" store without immediately affecting the running state of the device.
- Configuration Locking: The module supports locking the configuration datastore to prevent concurrent modifications by other users or processes during a transaction.
- Validation Before Commit: It allows the operator to validate the XML payload against the device's YANG models before committing the change, reducing the risk of runtime errors.
- Granular Edit Operations: It supports specific edit-config operations that allow for precise modification of individual elements within the XML tree.
Supporting NETCONF Modules
To complement the configuration process, the collection includes modules for state retrieval and low-level protocol interaction.
ansible.netcommon.netconf_get: This module is used to fetch configuration or state data from a device. It is essential for verifying that a change applied vianetconf_confighas been successfully implemented.ansible.netcommon.netconf_rpc: This provides the ability to execute arbitrary Remote Procedure Calls (RPCs) on a device, offering a "catch-all" mechanism for any NETCONF operation not explicitly covered by other modules.
Implementation Workflow for VLAN and VNI Mapping
A practical application of these tools is the automation of Virtual Local Area Network (VLAN) and Virtual Network Identifier (VNI) mappings. This process typically involves translating a high-level intent (e.g., "Create VLAN 16 and map it to VNI 10016") into a YANG-compliant XML structure.
Step 1: Inventory and Group Variables Configuration
The first phase of implementation requires defining the target hosts and their connection parameters. In a professional DevOps workflow, this is handled via inventory files and group_vars.
The inventory file, which might be named nc_hosts, identifies the group of devices:
text
[nc_leafs]
10.15.8.21
10.15.8.22
The corresponding group variables file, located at group_vars/nc_leafs.yml, defines the technical requirements for the connection. This is where the ansible.netcommon.netconf plugin is specified:
```yaml
ansibleconnection: ansible.netcommon.netconf
ansiblenetworkos: cisco.nxos.nxos
ansibleuser: admin
ansible_password: cisco.123
```
By setting ansible_connection to ansible.netcommon.netconf, Ansible is instructed to bypass the standard CLI logic and instead use the NETCONF protocol for all subsequent tasks targeting this group.
Step 2: Playbook Construction and Execution
The main playbook serves as the orchestrator, associating the host group with the specific role responsible for the configuration. In the example of a VLAN/VNI mapping, the playbook nc_playbook.yml would look as follows:
```yaml
main playbook
- hosts: ncleafs
gatherfacts: False
roles:- role: ncvlanvni
```
- role: ncvlanvni
The execution of this playbook is performed using the ansible-playbook command. For those requiring deep visibility into the SSH handshake and XML exchange, the -vvv flag is utilized for verbose debugging:
cd /home/pod08/workspace/nxapilab/ansible-nxos
ansible-playbook -i nc_hosts nc_playbook.yml -vvv
Step 3: Conversion from CLI to YANG XML
A critical part of the NETCONF workflow is the conversion of human-readable CLI commands into machine-readable XML. Tools like the NX-API Sandbox allow administrators to input a CLI command and see the corresponding YANG XML.
For example, the following CLI input:
vlan 16
vn-segment 10016
Is converted by the sandbox into a structured XML fragment that is then passed to the netconf_config module. This ensures that the configuration is syntactically correct according to the device's internal YANG model before it is ever transmitted.
Extended Utility Modules and Filter Plugins
Beyond the core NETCONF functionality, the ansible.netcommon collection provides a vast array of helper modules and filter plugins designed to process network data and manage files.
General Network Management Modules
These modules provide essential utility for day-to-day network operations:
ansible.netcommon.net_get: Copies a file from a network device back to the Ansible Controller.ansible.netcommon.net_put: Transmits a file from the Ansible Controller to a network device.ansible.netcommon.net_ping: A specialized tool to test the reachability of a network device.ansible.netcommon.cli_backup: Performs a backup of the device configuration vianetwork_cli.ansible.netcommon.cli_restore: Restores a previously backed-up configuration to a device.ansible.netcommon.cli_command: Executes a standard CLI command on devices that do not support model-driven protocols.ansible.netcommon.cli_config: Pushes text-based configuration changes vianetwork_cli.
Data Processing Filter Plugins
To handle the complex data structures returned by network devices, ansible.netcommon includes several filter plugins. These filters allow operators to transform, parse, and manipulate data within a playbook.
ansible.netcommon.parse_xml: Essential for converting the XML output fromnetconf_getinto a format that Ansible can easily iterate over.ansible.netcommon.parse_cli: Used to structure raw CLI output into a usable data format.ansible.netcommon.parse_cli_textfsm: Specifically uses TextFSM templates to parse CLI output.ansible.netcommon.vlan_parser: A specialized filter for extracting VLAN information.ansible.netcommon.vlan_expander: Used to expand abbreviated VLAN ranges into full lists.ansible.netcommon.pop_ace: A utility to remove Access Control Entry (ACE) entries from an ACL source of truth.ansible.netcommon.hash_salt: Used for securing or hashing sensitive data.ansible.netcommon.type5_pw: A filter for managing Type 5 encrypted passwords.ansible.netcommon.comp_type5: A filter plugin for compatibility with Type 5 password hashing.
Summary of Module Capabilities and Use Cases
The following table summarizes the specific modules within the ansible.netcommon collection and the ideal scenarios for their application.
| Module Name | Primary Use Case | Protocol/Transport |
|---|---|---|
netconf_config |
Applying YANG-modelled configuration changes. | NETCONF / SSH |
netconf_get |
Verifying state or fetching configuration data. | NETCONF / SSH |
netconf_rpc |
Executing specific, low-level NETCONF operations. | NETCONF / SSH |
restconf_config |
Managing configuration via REST API. | RESTCONF / HTTP |
restconf_get |
Fetching state via REST API. | RESTCONF / HTTP |
grpc_config |
State/config management for gRPC devices. | gRPC |
grpc_get |
State retrieval for gRPC devices. | gRPC |
cli_command |
Basic command execution on legacy devices. | network_cli / SSH |
telnet |
Legacy interaction with devices lacking SSH. | Telnet |
Analysis of the Transition from CLI to Model-Driven Automation
The transition from network_cli to ansible.netcommon.netconf is not merely a change in the connection plugin, but a fundamental change in how network state is managed. In a CLI-based workflow, the administrator is responsible for the sequence of commands and the interpretation of the output. If a command fails halfway through a script, the device may be left in a partially configured state.
By utilizing the netconf_config module, the administrator leverages the "transactional" nature of NETCONF. The ability to push to a candidate datastore, validate the configuration, and then commit it as a single atomic operation ensures that the device never enters an inconsistent state. If the validation fails, the commit is not executed, and the running configuration remains untouched.
Furthermore, the use of YANG models eliminates the "regex nightmare" associated with parse_cli or parse_cli_textfsm. Because the data returned by netconf_get is structured XML, the parse_xml filter can convert it into a Python dictionary with absolute precision, removing the fragility associated with screen-scraping.
Community Support and Ecosystem Integration
Because ansible.netcommon is Red Hat Ansible Certified Content, it exists within a robust support ecosystem. Users who encounter issues can leverage the Ansible Automation Platform (AAP) by using the "Create issue" button on the project's repository. For those using the community versions via Galaxy or GitHub, support is available through the Ansible Forum, specifically via posts tagged with network.
The Ansible Network Automation Working Group provides a collaborative space for enthusiasts and professionals to discuss the evolution of these tools. Additionally, the Ansible Bullhorn newsletter serves as the primary channel for announcing new releases and critical updates to the collection.
Conclusion
The ansible.netcommon collection, and specifically its implementation of the NETCONF protocol, provides the necessary infrastructure for professional-grade network automation. By moving away from the fragility of CLI-based interactions and embracing the structure of YANG and XML, organizations can achieve a higher degree of reliability and scalability in their network operations. The combination of the netconf_config module for atomic configuration changes and the netconf_get module for precise state verification creates a closed-loop automation system that is essential for modern software-defined networking. The integration of persistent connections, gRPC, and RESTCONF ensures that this framework is future-proof, capable of supporting both the legacy hardware of today and the API-driven hardware of tomorrow.