Architecting Network Automation with Arista EOS and Ansible

Published by TechMarmot Editorail Staff on | Category Ansible

The convergence of software-defined networking and infrastructure-as-code has fundamentally altered the landscape of data center management. At the center of this evolution is the synergy between Arista EOS and the Red Hat Ansible Automation Platform. Ansible, an open-source automation engine released in 2012 and subsequently acquired by Red Hat in 2015, provides a powerful, agentless framework for server software provisioning, configuration management, and application deployment. When applied to Arista networks, this capability transforms the network from a series of manually configured boxes into a programmable, consistent, and scalable fabric.

The core philosophy of Ansible is rooted in idempotency. In a networking context, idempotency ensures that the outcome of an operation is performed only once and only if necessary, regardless of how many times the process is executed. To visualize this, consider a pair of on/off buttons; no matter how many times an operator presses the "on" button, the device will only transition to the "on" state once. This mechanism is critical for network stability, as it prevents unnecessary configuration rewrites that could potentially cause flapping or service interruptions. Unlike many legacy automation tools, Ansible does not require a proprietary communications mechanism or a software agent to be installed on the managed device, which reduces the attack surface and eliminates the overhead of agent maintenance on the switch.

Arista EOS is uniquely suited for this level of automation because it is built upon a Linux foundation. Unlike proprietary operating systems, EOS allows administrators to access the underlying Linux shell, enabling the execution of standard Linux applications and the deployment of Docker containers directly on the network hardware. This architectural decision makes Arista switches behave more like servers, simplifying the integration with DevOps tools. Furthermore, because Arista was founded by former Cisco employees, the EOS CLI maintains a high degree of similarity to Cisco's own, facilitating a smooth transition for engineers migrating from Cisco-centric environments to Arista-centric platforms.

The Arista EOS and AVD Collection Ecosystem

The automation of Arista environments is primarily handled through two distinct but complementary collections: the arista.eos collection and the arista.avd (Arista Validated Designs) collection.

The arista.eos collection is the foundational toolset designed to help automate the management of Arista EOS network appliances. It provides the low-level modules and plugins necessary to interact with the device. This collection has been rigorously tested against Arista EOS version 4.24.6F and requires Ansible versions 2.16.0 or greater. The collection utilizes Fully Qualified Collection Namespaces (FQCN) to ensure there are no naming collisions between different providers, such as using arista.eos.eos_l2_interfaces instead of a generic module name.

In contrast, the arista.avd collection serves as a higher-level abstraction layer. While Ansible is the engine, AVD is an opinionated collection that provides roles, modules, and plugins to generate and deploy best-practice configurations. AVD is designed for various network architectures, including Data Center, Campus, and Wide Area Networks (WAN). The "opinionated" nature of AVD means that it incorporates field experiences and best practices from actual Arista customer deployments, allowing users to deploy complex designs, such as EVPN/VXLAN L3LS fabrics, without needing to manually interpret every page of the Arista Design and Deployment Guides.

The operational flow of these tools typically involves an Ansible server that communicates with Arista devices through two primary pathways:
1. The eAPI (extensible Access Interface), which provides a programmatic interface for the device.
2. The Arista CloudVision Portal, which acts as an intermediary that communicates with the devices.

The integration with CloudVision further enhances the automation pipeline by adding change control workflows, continuous compliance checks, and a real-time network topology overview. It also provides streaming telemetry and flow-based data, which allows the operator to verify the state of the network in real-time after an Ansible playbook has been executed.

Technical Implementation and Configuration Requirements

To establish a successful connection between an Ansible control node and an Arista EOS device, specific administrative and technical configurations must be applied on both the server and the switch.

Arista EOS Device Preparation

Before the Ansible server can push configurations, the EOS device must be prepared to accept remote management. This involves creating a dedicated user with appropriate permissions and securing the management plane.

The following steps are required on the EOS device:

  • Create a user with privilege level 15, which grants full administrative rights.
  • Create an enable password to allow the transition from user mode to privileged mode.
  • Assign a unique hostname to the device for identification within the Ansible inventory.
  • Ensure SSH is enabled (which is the default in EOS).
  • Use SHA512 for password encryption, which is the default standard in EOS.

The specific CLI sequence to achieve this configuration is as follows:

text arista> enable arista# conf t username ansible privilege 15 secret 0 $PASSWORD-HERE$ enable password 0 $ENABLE-PASSWORD$ hostname arista-01 end copy running-config startup-config

The final command, copy running-config startup-config, is critical. Without writing the configuration to the non-volatile memory, any changes made via the CLI or Ansible will be lost upon a device reboot.

Ansible Control Node Configuration

The Ansible server requires a set of default variables to understand how to communicate with the EOS hardware. These variables are typically defined in a group_vars file or the ansible.cfg file.

The mandatory configuration parameters include:

  • ansible_user: The username created on the switch (e.g., ansible).
  • ansible_connection: Set to network_cli to utilize the specialized network connection plugin.
  • ansible_network_os: Set to eos to ensure the correct modules are loaded.
  • ansible_ssh_pass: The SSH password for the user.
  • ansible_become: Set to yes to enable privilege escalation.
  • ansible_become_method: Set to enable to enter the privileged EXEC mode.
  • ansible_become_password: The enable password configured on the device.

Deployment and Installation Procedures

Installing the necessary automation tools is performed through the Ansible Galaxy CLI, the primary distribution hub for Ansible content.

Collection Installation Methods

There are two primary ways to install the arista.eos collection:

  1. Direct installation via the command line:

bash ansible-galaxy collection install arista.eos

  1. Installation via a requirements.yml file, which is the preferred method for version control and CI/CD pipelines:

```yaml

collections:
- name: arista.eos
```

Once the requirements file is created, the installation is triggered using the following command:

bash ansible-galaxy collection install -r requirements.yml

Inventory Management and Connectivity Testing

The Ansible inventory file maps the logical group names to the physical or virtual IP addresses of the Arista devices. A basic inventory for an Arista environment is structured as follows:

text [arista] arista-01 ansible_host=10.15.30.43 arista-02 ansible_host=10.15.30.44

To verify that the control node can successfully communicate with the devices and retrieve system information, the eos_facts module is utilized. This is a critical verification step to ensure that the SSH and privilege escalation settings are correct before attempting any configuration changes.

The verification command is executed as follows:

bash ansible arista -m eos_facts | grep -i hostname

A successful response will return the hostnames of the devices, such as:
- "ansible_net_hostname": "arista-01"
- "ansible_net_hostname": "arista-02"

Advanced Configuration Management with Resource Modules

The arista.eos collection includes network resource modules, which allow for granular control over specific configuration sections. These modules support different states, such as merged, replaced, overridden, and deleted.

The replaced state is particularly powerful as it ensures that the configuration for a specific resource exactly matches the provided input, removing any existing configuration that was not explicitly defined in the task.

An example of replacing a Layer 2 interface configuration using the FQCN is provided below:

```yaml

  • name: Replace device configuration of specified L2 interfaces with provided configuration.
    arista.eos.eosl2interfaces:
    config:
    - name: Ethernet1
    trunk:
    nativevlan: 20
    trunk    vlans: 5-10, 15
    state: replaced
    ```

In this technical scenario:
- The module arista.eos.eos_l2_interfaces is called.
- The config block defines the target interface as Ethernet1.
- The trunk properties set the native VLAN to 20 and allow VLANs 5 through 10 and 15.
- The state: replaced ensures that any other trunk configuration on Ethernet1 is removed.

Lab Environment Considerations and Limitations

When implementing Arista automation in a laboratory or virtualized environment using vEOS (Virtual EOS), certain technical hurdles may arise depending on the hypervisor.

vEOS and VLAN Bridge Issues

Testing in a virtualized environment using KVM or Hyper-V has revealed specific limitations regarding the handling of tagged VLAN frames. It has been observed that vEOS images may fail to receive frames with tagged VLANs, even if the virtual machine is successfully sending them. This behavior suggests a potential drop of tagged frames at the kernel level of the hypervisor.

To circumvent this issue, network architects should avoid using VLAN bridges in the lab setup. Instead, the recommended approach is to use dedicated interfaces and bridges between the Ansible server (e.g., netsvr-01) and the vEOS instances.

Virtual Lab Topology Specification

For those replicating this environment, the following specifications are noted:

Component Specification
Hypervisors Tested KVM, Hyper-V
Connectivity Method Dedicated Interfaces/Bridges
VLAN Status Disabled (due to vEOS image limitations)
Arista OS Image vEOS

Community Engagement and Support Architecture

Maintaining an automation framework requires access to updated documentation and community support. The arista.eos collection is actively maintained, and users are encouraged to contribute through the following channels:

  • GitHub: Issues and Pull Requests are used for bug reporting and feature requests.
  • Ansible Forum: The "network" tag is used to categorize conversations related to network automation.
  • Ansible Network Automation Working Group: A specialized team for those deeply involved in network-related collections.
  • Ansible Bullhorn: A newsletter used for the announcement of new releases and critical changes.

All contributions and interactions within the ecosystem are governed by the Ansible project's Code of Conduct.

Conclusion: Strategic Analysis of Arista Automation

The integration of Arista EOS with Ansible represents a shift from "box-by-box" management to a systemic architectural approach. The distinction between the arista.eos collection and the arista.avd collection is pivotal; the former provides the tools (the "how"), while the latter provides the blueprints (the "what"). By utilizing AVD, organizations can implement a standardized design language that reduces the risk of human error and eliminates the need for engineers to manually interpret complex deployment guides.

From a technical standpoint, the agentless nature of Ansible, combined with the Linux-based architecture of EOS, creates a low-friction environment for automation. The ability to use network_cli and eAPI allows for flexibility in how configurations are pushed, while the idempotency of the platform ensures that the network state remains predictable.

However, the transition to full automation requires careful preparation. As demonstrated in the configuration requirements, the prerequisite of privilege level 15 and secure SSH access is non-negotiable. Furthermore, the reliance on resource modules like eos_l2_interfaces highlights the move toward a declarative state of networking, where the operator defines the intended end-state, and Ansible manages the transition to that state.

For those operating in virtualized environments, the known limitations of vEOS regarding tagged VLANs emphasize the importance of lab validation. The transition from a Cisco-centric environment to Arista is significantly eased by the similarity in CLI syntax, but the true value lies in the ability to treat the network as code, integrating it into broader DevOps pipelines via tools like GitHub Actions or GitLab CI, and maintaining visibility through CloudVision.

Sources

  1. Arista EOS Ansible Collection
  2. AVD Getting Started Guide
  3. YetiOps: Ansible for Networking - Arista EOS

Related Posts