How to automate network configurations with Puppet

Puppet's networking modules provide an agentless approach to managing network devices. Whether you’re looking to perform ad hoc tasks on a device or prevent network configuration drift, you can use the same powerful automation that Puppet is known for in your network administration teams.

We have several supported and partner supported network modules that allow you to integrate devices into regular Puppet management. Here are a few of our most popular:

  • cisco_ios — configures of Cisco Catalyst devices running IOS and IOS XE.
  • panos — configures Palo Alto firewalls running PANOS.
  • ciscopuppet — manages Cisco Nexus Network devices.
  • F5 — manages LTM F5 load balancers by providing types and REST-based providers.

For a list of all our network modules, see the Puppet Forge.

Note that our code is all open-source and we welcome your contributions! You can also try writing your own module. Take a look at our module building tools — PDK, Resource API and Litmus — to help you get started.

We have two tools that can execute the functionality of these modules — Bolt and Puppet Enterprise (PE). The tool you’ll use will depend on what you want to do.

So if you’re new to using Puppet to manage network devices, or new to Puppet as a whole, we’ll share below the quickest ways to get started.

Getting started

To get started on your network automation journey, we’ll show you how to connect to the device you want to manage, how to run a task on that device, and how to apply a manifest that describes the state you want your device to be in. Once you get familiar with this workflow and our ecosystem, you’ll be able to migrate this work to PE, enabling you to tackle bigger challenges.

Connect to the device you want to manage

To start with, we need to connect to the device we want to manage. The simplest way to do this is with Bolt, our open source orchestration tool. Bolt learns how to connect to the device through the relevant Puppet module.

To install a module for use with Bolt, we’ll create a Puppetfile file and a bolt.yaml file in a new directory. The Puppetfile file contains the module(s) you want to install, and their dependencies. It will look something like this:

mod 'puppetlabs-panos', '1.0.0'
mod 'puppetlabs-cisco_ios', '1.0.0'
# dependencies
mod 'puppetlabs-resource_api', '1.1.0'
mod 'puppetlabs-netdev_stdlib', '0.18.0'

To complete installation, run the following command from within your new directory:

bolt puppetfile install

You also need to install the net-ssh-telnet gem manually from an administrative account:

/opt/puppetlabs/bolt/bin/gem install net-ssh-telnet.

Bolt uses the inventory.yaml file to record the connection information for each node it will work with. It will look something like this:

nodes:
  - name: firewall1.example.com
    alias: pfire_1
    config:
      transport: remote
      remote:
        remote-transport: panos
        user: pfuser
        password: pfpassword
        ssl_fingerprint: "50d858e0985ecc7f60418aaf0cc5ab587f4..."
        
  - name: switch.example.com
    alias: ios_1
    config:
      transport: remote
      remote:
        remote-transport: cisco_ios
	port: 22
        user: admin
        password: password
        enable_password: enable.me

You can find the connection attributes for the networking devices that support Bolt in lib/puppet/transport/schema/<device_type>.rb. These are documented in the README of each module.

Perform an ad hoc task on a device

A useful command to start with is bolt task show, which returns a list of all the tasks Bolt knows how to perform — pre-defined in the network device modules. For example:

cisco_ios::cli_command        Execute CLI Command
cisco_ios::config_save        Save running-config to startup-config
panos::apikey                 Retrieve a PAN-OS apikey
panos::commit                 Commit a candidate configuration to a firewall.
panos::set_config             upload and/or apply a configuration to a firewall.
panos::store_config           Retrieve the configuration running on the firewall.

By looking at namespaces, you can tell which device the task is for. If you run the command again with the name of the task, you’ll get a help dialog which documents the attributes required to execute the task, for example bolt task show panos::apikey.

For example, if we want to retrieve a PAN-OS API key from our Panos device, we’ll run:

`bolt task run panos::apikey -n pfire_1`

Or if we want to execute a CLI command on our cisco_ios device, we’ll run:

`bolt task run cisco_ios::cli_command -n ios_1 command="show running-config" raw=true`

The -n option specifies the node or nodes that you want to run the task against. If you have multiple cisco_ios devices in the inventory.yaml file, you can run the task against all of them in one command, for example:

bolt task run cisco_ios::cli_command command="show running-config" raw=false -n ios_1,ios_2,ios_3,ios_4

To see all the ways you can run tasks against multiple nodes, check out the Bolt docs.

Describe the state you want your device to be in

A Puppet manifest file describes the state you want your device to be in. They contain many different resources and resource types. In this example, we’re going to create two manifest files, called firewall.pp and switch.pp:

panos_address { 'newaddressrange':
  ensure => 'present',
  ip_range => '10.0.0.1-10.0.0.5',
  tags => [],
}
 
banner { "default":
  motd => 'This message has been set by Puppet',
}

These manifests are describing the state we want a panos_address and a banner resource to be in.

Next, we’ll run the following commands to apply the respective manifests against the specified nodes:

`bolt apply firewall.pp -n pfire_1` 
 `bolt apply switch.pp -n ios_1` 

Again, you can specify multiple nodes to apply the state to.

Next steps: Scale, enforce and audit

In the previous section we showed you a few of the quickest ways you can get started managing your network devices. Once you become familiar with running tasks and applying manifests, you can apply these same workflows to PE, allowing you to extend this automation even further.

For example, the manifests we applied above are standard Puppet manifests, which can easily be migrated to PE, allowing you to enforce your desired state and gain auditing and awareness of configuration drift.

With our next major release of PE, you will be able to collaboratively run tasks across your devices, and retain an audit log of all interactions, all from the PE console. If you'd like to learn more about Network Automation with PE, please get in touch to see a preview!

Summary

We hope this gives you some ideas on how you can get started automating your network configurations. We’ve provided a list of content below if you’re interested in learning more. Try out our networking modules and let us know what you think!

The Puppet Network Automation team is continually working to improve the Puppet experience for Network Administrators, as well as adding support for more devices. The team can be found in the #office-hours channel of puppetcommunity.slack.com every Tuesday between 3-4pm GMT, ready to answer any of your questions.

Thanks for reading!

Learn more

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.