Two Ansible Network Compliance Examples

/ Networking and Computing Tips and Tricks / By /
Post Views: 238

If you are new to Ansible, I suggest you read our article that defines Ansible, and shows you how to set up an Ansible lab environment to test and learn in.

You can also read my article on real world use cases for Ansible right here. One of those use cases is Compliance Testing. Let’s dig in.

Why Compliance Testing?

Compliance testing in networking is critical for maintaining security, reliability, legal adherence, and operational consistency across your network infrastructure. Here’s why it matters:

1. Security Enforcement

  • Ensures configurations meet security policies (e.g., SSH v2 enabled, SNMPv3 only, password encryption).
  • Helps prevent misconfigurations that could leave devices vulnerable.
  • Verifies firewall rules, access controls, and AAA policies are enforced as intended.

2. Regulatory and Legal Compliance

  • Required for adherence to standards like:
    • PCI-DSS (for handling credit card data)
    • HIPAA (for healthcare data)
    • NIST 800-171, ISO 27001, etc.
  • Non-compliance can result in legal penalties, audits, or fines.

3. Operational Consistency

  • Keeps device configurations uniform across environments (e.g., all routers have the same SNMP or logging settings).
  • Reduces human error from manual changes.
  • Makes troubleshooting easier by ensuring known-good config baselines.

4. Risk Mitigation

  • Identifies unauthorized changes (drift from the baseline).
  • Detects deprecated or insecure settings (e.g., Telnet instead of SSH).
  • Minimizes downtime from configuration issues by proactively checking for errors.

5. Supports Automation and Auditing

  • Compliance tests become part of CI/CD pipelines for networking.
  • Automated tools (like Ansible, Nornir, or Batfish) can:
    • Run checks regularly
    • Generate audit reports
    • Trigger alerts or remediation

6. Enhances Network Agility

  • Confirms that changes (e.g., firmware upgrades or ACL modifications) still align with corporate policy.
  • Enables safe, rapid scaling without sacrificing security or governance.

Compliance testing is not just about rules—it’s about maintaining a secure, resilient, and manageable network that supports your organization’s needs while minimizing risk. That said lets first look at some examples, then, as a bonus, I’ll show you how to generate compliance reports using Ansible.

Here is a checklist of what you could test for compliance:

A Possible Network Compliance Checklist

Not all of these items may apply to your network, but we have built this checklist over time. If I have missed any, let me know.

Security Configurations

  • SSH version 2 enabled (Telnet disabled)
  • User authentication via AAA (TACACS+ or RADIUS)
  • Enable secret password is set and encrypted
  • Password encryption service (service password-encryption) enabled
  • No default or blank passwords
  • Timeouts for idle sessions (e.g., exec-timeout)
  • Login banner configured with security warning

SNMP Configuration

  • SNMPv3 only (disable SNMPv1/v2c if not needed)
  • Community strings are secure, non-default, and read-only where appropriate
  • Access control via SNMP ACLs or views

Network Protocols

  • NTP server configured and reachable
  • Syslog server configured with proper severity levels
  • Domain name and hostname properly set
  • DNS servers configured (if required)
  • Time zone and clock synchronization correctly set

Access Control & Filtering

  • ACLs applied on all ingress/egress interfaces
  • Control plane protection (CoPP or rACL) implemented
  • Management access restricted via ACLs
  • Unused interfaces shut down
  • No unnecessary services enabled (e.g., CDP, LLDP, HTTP server)

Logging and Auditing

  • Syslog servers defined and reachable
  • Logging buffer configured for local logs
  • Timestamping enabled on logs
  • AAA accounting configured (if using TACACS+/RADIUS)
  • Change logging or configuration versioning in place

Configuration Management

  • Backup configurations regularly and securely stored
  • Running config matches startup config
  • Configuration changes monitored (via Git, Ansible, etc.)
  • Golden config templates in use for provisioning

Software and Patch Management

  • IOS/firmware is up-to-date
  • End-of-life (EOL) hardware/software flagged
  • Vulnerable OS versions identified and tracked

Interface and Network Settings

  • Correct IP addressing/subnetting
  • Interface descriptions present
  • No IP address overlaps
  • Link negotiation and MTU settings explicitly set if needed

Optional – Based on Environment

  • 802.1X port authentication
  • VRF configurations verified
  • MPLS/segment routing policy checks
  • BGP/OSPF route filtering and security
  • IPv6 compliance settings checked

Tools Required

  • Ansible 2.9+ (use ansible-galaxy collection install cisco.ios junipernetworks.junos)
  • Network device reachability (SSH or NETCONF)
  • Supported network OS modules

Example 1: Cisco IOS – Configure Interface and Hostname

Goal:

Set a hostname and configure a GigabitEthernet interface on a Cisco router.

Inventory (file: hosts.ini)

ini
[cisco]
router1 ansible_host=192.168.100.1 ansible_user=admin ansible_password=cisco ansible_network_os=cisco.ios.ios ansible_connection=network_cli

Playbook (file: ios_config.yml)

yaml
- name: Configure Cisco Router
  hosts: cisco
  gather_facts: no
  tasks:

    - name: Set hostname
      cisco.ios.ios_config:
        lines: hostname Branch-R1

    - name: Configure interface GigabitEthernet1
      cisco.ios.ios_config:
        lines:
          - description Link to Core
          - ip address 10.1.1.1 255.255.255.0
          - no shutdown
        parents: interface GigabitEthernet1

Run the playbook:

bash
ansible-playbook -i hosts.ini ios_config.yml

Example 2: Multi-Vendor Compliance Check

Goal:

Audit NTP configuration across Cisco IOS and Juniper devices.

Inventory (file: hosts.ini)

ini
[cisco]
r1 ansible_host=192.168.100.1 ansible_user=admin ansible_password=cisco ansible_network_os=cisco.ios.ios ansible_connection=network_cli

[juniper]
r2 ansible_host=192.168.100.2 ansible_user=admin ansible_password=juniper ansible_network_os=junipernetworks.junos.junos ansible_connection=netconf

📜 Playbook (file: audit_ntp.yml)

yaml

-name: Audit NTP Configuration
  hosts: all
  gather_facts: no
  tasks:

    - name: Get NTP config on Cisco
      when: ansible_network_os == "cisco.ios.ios"
      cisco.ios.ios_command:
        commands: show run | include ntp
      register: ntp_output

    - name: Get NTP config on Juniper
      when: ansible_network_os == "junipernetworks.junos.junos"
      junipernetworks.junos.junos_command:
        commands: show configuration system ntp
      register: ntp_output

    - name: Display NTP configuration
      debug:
        var: ntp_output.stdout_lines

Great! But let me read your mind….how can I generate a report? Great question. Here’s a real-world Ansible example for automated network compliance reporting—checking if your devices meet a defined configuration standard (e.g., for NTP, SNMP, AAA, etc.).

Example: Automated Compliance Reporting on Cisco IOS Devices

Goal:

Check if Cisco devices:

  • Have the correct NTP server configured.
  • Have SNMP enabled with a specific community string.
  • Have SSH version 2 enabled.

Inventory File (hosts.ini)

ini
[cisco]
r1 ansible_host=192.168.100.1 ansible_user=admin ansible_password=cisco ansible_network_os=cisco.ios.ios ansible_connection=network_cli
r2 ansible_host=192.168.100.2 ansible_user=admin ansible_password=cisco ansible_network_os=cisco.ios.ios ansible_connection=network_cli

Playbook (compliance_check.yml)

yaml
- name: Compliance Check - Cisco Devices
  hosts: cisco
  gather_facts: no
  tasks:

    - name: Gather running configuration
      cisco.ios.ios_command:
        commands:
          - show running-config
      register: config_output

    - name: Check for NTP server
      set_fact:
        ntp_ok: "{{ 'ntp server 192.168.1.10' in config_output.stdout[0] }}"

    - name: Check for SNMP community string
      set_fact:
        snmp_ok: "{{ 'snmp-server community public RO' in config_output.stdout[0] }}"

    - name: Check for SSH version 2
      set_fact:
        ssh_ok: "{{ 'ip ssh version 2' in config_output.stdout[0] }}"

    - name: Create compliance report
      copy:
        dest: "./reports/{{ inventory_hostname }}_compliance.txt"
        content: |
          Compliance Report for {{ inventory_hostname }}
          ---------------------------------------------
          NTP Server Configured: {{ 'PASS' if ntp_ok else 'FAIL' }}
          SNMP Community Public RO: {{ 'PASS' if snmp_ok else 'FAIL' }}
          SSH Version 2 Enabled: {{ 'PASS' if ssh_ok else 'FAIL' }}

Example Output:

You’ll get a text file per device in a ./reports/ folder like:

r1_compliance.txt

pgsql
Compliance Report for r1
---------------------------------------------
NTP Server Configured: PASS
SNMP Community Public RO: FAIL
SSH Version 2 Enabled: PASS

I hope you found this post informative and helpful.

Comments are welcomed below from registered users.  You can also leave comments at our Discord server

If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!

Tags: , , , ,
Scroll to Top