7.6. Configuration Management (Ansible, Terraform)

💡 First Principle: Configuration management tools treat network configuration as code—define the desired state in files, and the tool makes reality match. Think of it like a recipe: instead of manually configuring each device, you write down what you want and let the tool do the cooking.

Consider this scenario: You have 200 switches. A security policy changes, requiring a new ACL on every device. Without Ansible: SSH to each one, paste the config, hope you don't typo, and document that you did it. With Ansible: update one playbook, run it, and it applies the change everywhere in minutes—with a log of exactly what changed. The difference is hours of manual work versus minutes of automated execution.

What happens without configuration management: Over time, devices drift. Someone makes an emergency change on one switch but forgets to document it. Another switch gets configured slightly differently. Six months later, traffic behaves oddly on some devices but not others. Without config management, you can't even prove what changed. With it, every change is versioned in Git—you see exactly who changed what and when, and you can roll back instantly.

Ansible:

• Agentless: Uses SSH to connect to devices (no software to install)
• Declarative: Define desired state in YAML playbooks
• Idempotent: Running multiple times produces same result (won't duplicate VLANs)
• Push model: Controller pushes config to devices

# Example Ansible playbook
- name: Configure VLAN
  hosts: switches
  tasks:
    - name: Create VLAN 10
      cisco.ios.ios_vlans:
        config:
          - vlan_id: 10
            name: HR

Terraform

• Infrastructure as Code: Define resources in HCL files
• Provider-based: Plugins for different platforms (AWS, Azure, network vendors)
• State management: Tracks what's deployed so it knows what to change
• Plan before apply: Preview changes before making them—no surprises