The modern data center network relies heavily on the Cisco Nexus series, where NX-OS serves as the critical operating system powering everything from top-of-rack access switches to massive spine-leaf fabrics. These devices are the primary conduits for east-west traffic, which constitutes the bulk of communication within enterprise environments. While there is a perceived similarity between NX-OS and the classic Cisco IOS, NX-OS is a distinct entity with its own specific command syntax, unique architectural features, and specialized automation capabilities. To manage these environments at scale, manual CLI configuration is no longer viable; instead, the industry has shifted toward Infrastructure as Code (IaC) using Ansible.
Ansible operates as an agentless open-source engine designed for configuration management, deployment, and orchestration. By utilizing YAML-formatted playbooks, it provides a human-readable method to define the desired state of a network. Each playbook consists of one or more plays, and each play contains a series of tasks. Every task is linked to a specific module—essentially a Python script—that executes the actual change on the target device. For Cisco Nexus devices, the cisco.nxos collection provides a specialized set of modules that translate YAML declarations into the specific API calls or CLI commands required by NX-OS.
Infrastructure Prerequisites and Environment Setup
Establishing a stable automation environment is the foundational step before any configuration is pushed to production hardware. The environment must be configured to handle Python-based execution, as Ansible is built upon this language.
Python and Package Management
The prerequisite for running Ansible is a compatible Python environment. Specifically, the automation journey can be kickstarted on any Linux machine provided it has Python version 3.11 or higher installed. To manage the installation of Ansible and its dependencies, the pip package manager is required. pip acts as the primary tool for installing libraries and dependencies that are not included in the standard Python library.
If pip is not present, it must be installed first, followed by the installation of the Ansible core engine. The installation is performed via the terminal using the following command:
sudo pip install ansible
Once the installation is complete, the version must be verified to ensure the environment is operational.
Specialized Execution Environments
For developers who prefer a containerized approach or want to maintain a clean host system, Cisco provides a setup that can be run within a VSCode Devcontainer. This ensures that the toolchain, including Python and Ansible, is isolated from the primary operating system, providing a consistent environment across different development teams.
Collection Installation
Standard Ansible installations do not include every vendor-specific module by default. To interact with Cisco Nexus devices, the specific cisco.nxos collection and the ansible.netcommon collection must be installed via the Ansible Galaxy CLI:
ansible-galaxy collection install cisco.nxos
ansible-galaxy collection install ansible.netcommon
The ansible.netcommon collection is critical as it provides the underlying connection plugins required to communicate with network devices over SSH or APIs.
Inventory Management and Connection Logic
The inventory file is the map that Ansible uses to identify which devices to target and how to connect to them. In an NX-OS environment, the inventory must be meticulously structured to handle different roles, such as spines and leaves.
Inventory Structure and Variable Definition
A typical inventory file, such as nxos-devices.ini, categorizes devices into groups. This allows the administrator to apply specific configurations to all spines while applying different configurations to all leaves.
Example Inventory Configuration:
```ini
[nxosspine]
nexus-spine-01 ansiblehost=10.0.0.1
nexus-spine-02 ansible_host=10.0.0.2
[nxosleaf]
nexus-leaf-01 ansiblehost=10.0.1.1
nexus-leaf-02 ansiblehost=10.0.1.2
nexus-leaf-03 ansiblehost=10.0.1.3
nexus-leaf-04 ansible_host=10.0.1.4
[nxos:children]
nxosspine
nxosleaf
[nxos:vars]
ansiblenetworkos=cisco.nxos.nxos
ansibleconnection=ansible.netcommon.networkcli
ansibleuser=admin
ansiblepassword={{ vaultnxospassword }}
```
Technical Analysis of Connection Variables
The variables defined in the [nxos:vars] section are critical for the successful establishment of a session:
ansible_network_os: This tells Ansible to use thecisco.nxos.nxosplatform, ensuring the correct syntax is used.ansible_connection: Usingansible.netcommon.network_cliallows Ansible to use the network CLI connection plugin, which is optimized for network devices rather than standard Linux servers.ansible_userandansible_password: These provide the credentials for authentication. The use of{{ vault_nxos_password }}indicates the use of Ansible Vault to encrypt sensitive passwords, preventing them from being stored in plain text.
The Absence of Enable Mode
A significant technical distinction between NX-OS and IOS is the handling of privileged mode. In Cisco IOS, a user must typically issue the enable command to move from user mode to privileged mode. NX-OS does not utilize the enable concept. Once a user is authenticated with the correct privileges assigned to their user role, they are immediately in privileged mode. Consequently, Ansible playbooks for NX-OS do not need to manage ansible_become or enable_password settings.
Module Deep Dive and Configuration Patterns
The power of Ansible for NX-OS lies in its modularity. Administrators can choose between resource modules for structured configuration and the nxos_config module for freeform CLI commands.
Feature Management
In NX-OS, many capabilities are disabled by default to conserve system resources. If a command is issued for a feature that is not enabled, the switch will reject the command. Therefore, feature enablement must always be the first step in any playbook. This can be achieved using the cisco.nxos.nxos_feature module.
Example Feature Enablement:
```yaml
- name: ENABLE FEATURES
cisco.nxos.nxos_feature:
feature: "{{item.feature }}"
loop: "{{ features }}"
- name: ENABLE FEATURES
cisco.nxos.nxos_config:
lines: "feature nv overlay"
```
Layer 3 and Interface Configuration
Configuring the network fabric involves setting up loopback interfaces, assigning IP addresses, and configuring routing protocols. This is typically handled through a series of specialized modules.
For loopback interfaces:
```yaml
- name: CONFIGURE LOOPBACK INTERFACES
cisco.nxos.nxos_interfaces:
config:
- name: "{{ item.interface }}"
enabled: true
loop: "{{ loopbacks }}"
- name: CONFIGURE INTERFACE IP ADDR
cisco.nxos.nxosl3interfaces:
config:
- name: "{{ item.interface }}"
ipv4:
- address: "{{ item.addr }}/{{ item.mask }}"
loop: "{{ loopbacks }}"
```
Routing and Advanced Overlay Services
For modern data centers utilizing EVPN-VXLAN, the configuration involves BGP, PIM, and NV Overlay.
For PIM and OSPF:
```yaml
- name: ASSOCIATE INTERFACES WITH OSPF PROCESS
cisco.nxos.nxosospfinterfaces:
config:
- name: "{{ item.interface }}"
addressfamily:
- afi: ipv4
processes:
- processid: "{{ ospfprocessid }}"
area:
areaid: "{{ ospfarea }}"
loop: "{{ loopbacks }}"
- name: CONFIGURE PIM INTERFACES
cisco.nxos.nxospiminterface:
interface: "{{ item.interface }}"
sparse: true
loop: "{{ loopbacks }}"
```
For the BGP and EVPN Global configurations:
```yaml
- name: ENABLE NV OVERLAY EVPN
cisco.nxos.nxosevpnglobal:
nvoverlayevpn: true
- name: CONFIGURE BGP ASN, ROUTER ID, AND NEIGHBORS
cisco.nxos.nxosbgpglobal:
config:
asnumber: "{{ asn }}"
routerid: "{{ routerid }}"
neighbors:
- neighboraddress: "{{ item.neighbor }}"
remoteas: "{{ item.remoteas }}"
updatesource: "{{ item.updatesource }}"
state: merged
loop: "{{ bgp_neighbors }}"
```
Managing Virtual Port Channels (vPC)
Virtual Port Channels (vPC) are critical for redundancy and loop avoidance in the data center. Due to the high impact of vPC misconfigurations, which can lead to catastrophic network outages, these must be handled with extreme care.
The nxos_vpc Module
The nxos_vpc module manages global vPC configurations. Detailed information about this module can be accessed using the ansible-doc command:
ansible-doc nxos_vpc
The module supports several key parameters:
| Parameter | Requirement | Description |
|---|---|---|
domain |
Mandatory | Specifies the vPC domain ID |
host |
Mandatory | IP address or hostname of the NX-API enabled switch |
password |
Conditional | Login password; required if .netauth file is not used in the control host home directory |
auto_recovery |
Optional | Enables or disables auto recovery (true/false) |
delay_restore |
Optional | Manages the delay restore command value in seconds |
The use of the .netauth file in the home directory of the Ansible control host is a recommended practice to clean up playbooks, removing the need for hardcoded passwords.
Operational Safety and Troubleshooting
Deploying automation to core infrastructure requires rigorous safety mechanisms to prevent unplanned downtime.
Check Mode and Verbosity
Before executing a playbook, administrators should use "Check Mode" to simulate the changes. When combined with the verbose flag (-v), Ansible shows exactly which commands will be sent to the device without actually executing them.
Command for simulation:
ansible-playbook onetest.yml --check -v
The output provides a clear view of the tasks and the resulting commands, such as:
changed: [n9k1] => {"changed": true, "commands": "interface ethernet1/1 ; switchport access vlan 10 ;"}
This allows the operator to verify the logic before committing changes to the hardware.
Checkpoints and Rollbacks
NX-OS supports configuration checkpoints, which act as a recovery point. It is a mandatory best practice to create a checkpoint before any major change.
Example checkpoint task:
yaml
- name: Create checkpoint before changes
cisco.nxos.nxos_command:
commands:
- checkpoint ansible-backup
If a failure occurs, the administrator can use the checkpoint to roll back the configuration to the last known good state.
VDC Awareness
On Nexus 7000 series switches, Virtual Device Contexts (VDCs) partition the physical switch into multiple virtual switches. When automating these devices, the operator must be explicitly aware of which VDC is being targeted, as configurations are local to the VDC.
Summary of Core NX-OS Modules
The following table summarizes the key modules used for different aspects of Nexus automation.
| Module Name | Primary Purpose | Key Use Case |
|---|---|---|
cisco.nxos.nxos_feature |
Feature Enablement | Activating L3, OSPF, or vPC features |
cisco.nxos.nxos_interfaces |
Layer 2/3 Interface | Enabling/Disabling ports |
cisco.nxos.nxos_l3_interfaces |
IP Addressing | Assigning IPv4 addresses to interfaces |
cisco.nxos.nxos_bgp_global |
BGP Routing | Configuring ASN, Router ID, and Neighbors |
cisco.nxos.nxos_vpc |
vPC Configuration | Setting up vPC domains and recovery |
cisco.nxos.nxos_command |
Generic CLI | Executing checkpoint or show commands |
Conclusion: Detailed Analysis of Automation Impact
The integration of Ansible with Cisco NX-OS represents a fundamental shift from manual, error-prone device management to a scalable, programmable infrastructure. The transition to a "Nexus as Code" model allows for the implementation of CI/CD pipelines where network changes are version-controlled in Git and tested in labs before deployment.
The use of resource modules provides a structured approach, ensuring that the configuration is idempotent—meaning the playbook only makes changes if the current state differs from the desired state. This reduces the risk of unnecessary configuration churn. However, the complexity of NX-OS, specifically regarding vPC and VDCs, requires the operator to maintain a deep understanding of the physical and virtual architecture. The absolute necessity of feature enablement as a preliminary step underscores the "dependency-first" nature of NX-OS.
Ultimately, the combination of nxos_config for freeform agility and specialized resource modules for structured state management gives the network engineer complete control. By utilizing checkpoints and check-mode, the operational risk is significantly mitigated, enabling the agility required for modern, high-density data center environments.