Study Guide: Chapter 14 — Controller-Based Ansible Automation

Pre-Quiz — Test Your Prior Knowledge

1. The cisco.dnac Ansible collection communicates with Catalyst Center using which transport?

SSH via the network management plane NETCONF over port 830 HTTPS REST using the Cisco Catalyst Center Python SDK SNMP v3 over UDP 161

2. What is the correct order for provisioning a new device in Catalyst Center using Ansible workflow manager modules?

Add to inventory → Create site hierarchy → Provision to site Create site hierarchy → Add to inventory → Provision to site Provision to site → Create site hierarchy → Add to inventory Create site hierarchy → Provision to site → Add to inventory

3. When using the cisco.meraki collection, the Ansible control node communicates directly with which endpoint?

Each individual Meraki access point via SSH A local on-premises Meraki controller The Meraki Dashboard API at api.meraki.com The Meraki Dashboard API via the MX security appliance proxy

4. Which Ansible module is commonly used to automate vManage REST API calls when a purpose-built collection is not available?

ansible.netcommon.restconf_get ansible.builtin.uri cisco.ios.ios_config ansible.netcommon.httpapi

5. What is the primary purpose of ansible-vault in a multi-controller automation project?

To speed up playbook execution by caching API responses To validate playbook syntax before execution To encrypt sensitive variables (API keys, passwords) at rest using AES-256 To create an isolated Python virtual environment for collections

Section 1: Ansible for Catalyst Center (cisco.dnac Collection)

The cisco.dnac collection is Cisco's official Ansible interface for Catalyst Center (formerly DNA Center). Every module communicates exclusively over HTTPS REST using the Cisco Catalyst Center Python SDK as its transport — no SSH or NETCONF is involved. This means tasks always target localhost and the control node must have the SDK installed.

ansible-galaxy collection install cisco.dnac
pip install dnacentersdk

A minimum Catalyst Center version of 2.3.5.3 is required for workflow manager modules; enhanced features require 2.3.7.9+.

Workflow Manager Modules

The collection's *_workflow_manager modules are idempotent lifecycle managers. They compare desired state against live configuration and make only necessary changes. Running the same playbook twice with state: merged is always safe.

Module	Resource Domain
`site_workflow_manager`	Site hierarchy (Area / Building / Floor)
`inventory_workflow_manager`	Device inventory (add via SNMP/CLI)
`provision_workflow_manager`	Device provisioning (Day-0 / Day-N templates)
`pnp_workflow_manager`	Plug-and-Play onboarding (ZTP / Planned / Unclaimed)
`network_compliance_workflow_manager`	Compliance auditing and drift detection
`lan_automation_workflow_manager`	IS-IS discovery and greenfield deployment
`rma_workflow_manager`	Hardware replacement (RMA) workflow

Site Hierarchy: Area → Building → Floor

Before any device can be provisioned, the three-level site hierarchy must exist. The parent_name field uses a slash-delimited path from the Global root, which is also referenced by provision_workflow_manager.

- name: Build Area, Building, and Floor
  cisco.dnac.site_workflow_manager:
    dnac_host: "{{ vault_dnac_host }}"
    dnac_username: "{{ vault_dnac_username }}"
    dnac_password: "{{ vault_dnac_password }}"
    dnac_verify: false
    state: merged
    config:
      - site:
          area:
            name: "US-West"
            parent_name: "Global"
          building:
            name: "HQ-Building1"
            parent_name: "Global/US-West"
          floor:
            name: "Floor-1"
            parent_name: "Global/US-West/HQ-Building1"
            rf_model: "Cubes And Walled Offices"

PnP Provisioning Modes

Mode	Description	Use Case
Zero-Touch (ZTP)	Device auto-connects; Catalyst Center pushes config immediately	New branch deployments
Planned	Pre-configure settings applied when device comes online	Controlled rollouts
Unclaimed	Discover and configure unexpected new devices	Dynamic environments

Compliance Checking

The network_compliance_workflow_manager detects configuration drift across four compliance categories:

INTENT — compares running config against Catalyst Center intent
RUNNING_CONFIG — checks for unauthorized manual changes
IMAGE — validates software version compliance
PSIRT — flags known security vulnerabilities

Key Points — Section 1: cisco.dnac

All cisco.dnac modules communicate via HTTPS REST using the dnacentersdk Python SDK — never SSH or NETCONF
Tasks must target localhost; all three connection vars (dnac_host, dnac_username, dnac_password) are required per task
The site hierarchy (Area → Building → Floor) must exist before devices can be provisioned — this order is enforced by Catalyst Center
All *_workflow_manager modules are idempotent: state: merged creates or updates; state: deleted removes; safe to run repeatedly
PnP supports three modes — ZTP (auto-boot), Planned (pre-staged), and Unclaimed (dynamic discovery) — controlled by pnp_workflow_manager

Section 2: Ansible for Meraki (cisco.meraki Collection)

Meraki is cloud-managed: Ansible never connects to individual devices. Every task is an HTTPS call to api.meraki.com from localhost. Authentication uses a Dashboard API key generated from Organization > Settings > Dashboard API access.

ansible-galaxy collection install cisco.meraki
# For full Dashboard API v1.33.0+ surface:
ansible-galaxy collection install meraki.dashboard

State Model

State	Action
`present`	Create if absent; update if exists
`absent`	Delete the resource
`query`	Read and return current resource info

Core Modules

Module	Manages
`cisco.meraki.meraki_network`	Networks (create, update, delete, query)
`cisco.meraki.meraki_device`	Devices (claim, remove, rename)
`cisco.meraki.meraki_mr_ssid`	Wireless SSIDs (auth, encryption, VLAN)
`cisco.meraki.meraki_mx_vlan`	MX appliance VLANs (subnet, DHCP)
`cisco.meraki.meraki_mx_site_to_site_firewall`	Site-to-site VPN firewall rules

Performance: Use Numeric IDs

Always prefer numeric org_id and net_id over name-based parameters. Name-based resolution requires additional API round-trips, which compounds at scale.

Query-Then-Act Pattern with selectattr()

Meraki API responses return lists, not keyed dictionaries. Use Jinja2's selectattr() filter to extract items by attribute:

- name: Extract target network ID by name
  set_fact:
    target_net_id: >-
      {{ network_list.data
         | selectattr('name', 'equalto', 'Branch-Office-NYC')
         | map(attribute='id')
         | list
         | first }}

SSID Configuration

SSIDs are numbered 0–14 per Meraki MR network. Set auth_mode to psk for WPA-PSK or open for open networks; control isolation with ip_assignment_mode ("Bridge mode" or "NAT mode").

Section 3: Ansible for SD-WAN (URI Module)

Cisco SD-WAN is managed through the vManage REST API. Because purpose-built modules may not cover every endpoint, the ansible.builtin.uri module is the primary tool — and mastering it teaches the underlying REST pattern that all controller automation relies on.

vManage API Categories

Category	Base Path	Purpose
Monitoring	`/dataservice/device`	Device health, reachability, interface stats
Real-Time Monitoring	`/dataservice/device/bfd/...`	Live BFD, OMP, tunnel state
Configuration	`/dataservice/template/`	Feature templates, device templates, policy
Administration	`/dataservice/admin/`	Users, certificates, cluster management

Session-Cookie Authentication (Two-Step)

vManage uses session-cookie authentication. Step 1 POSTs credentials to /j_security_check to obtain a session cookie. Step 2 includes that cookie in the Cookie header of all subsequent requests.

- name: Authenticate to vManage
  uri:
    url: "https://{{ vault_vmanage_host }}/j_security_check"
    method: POST
    body_format: form-urlencoded
    body:
      j_username: "{{ vault_vmanage_user }}"
      j_password: "{{ vault_vmanage_password }}"
    validate_certs: false
    status_code: 200
  register: auth_result

- name: Store session cookie
  set_fact:
    vmanage_session: "{{ auth_result.cookies_string }}"

CSRF Token for State-Changing Calls

All POST/PUT operations require a CSRF token retrieved from GET /dataservice/client/token. Include it as an X-XSRF-TOKEN request header.

Building Idempotency Manually

The uri module has no built-in idempotency. Use a check-before-act pattern: query existing resources, then use a when condition to act only if the resource is absent.

- name: Create VPN template only if absent
  uri:
    url: "https://{{ vault_vmanage_host }}/dataservice/template/feature"
    method: POST
    headers:
      Cookie: "{{ vmanage_session }}"
      X-XSRF-TOKEN: "{{ xsrf_token }}"
      Content-Type: "application/json"
    body_format: json
    body: "{{ lookup('file', 'templates/vpn_template.json') }}"
    validate_certs: false
  when: >-
    existing_templates.json.data
    | selectattr('templateName', 'equalto', 'VPN-0-Internet')
    | list | length == 0

Section 4: Multi-Controller Automation Patterns

Orchestrating three controllers from a single Ansible project requires deliberate architectural discipline. The core principle: treat each controller as a domain with clear boundaries enforced by Ansible's role and inventory structures.

Inventory: Group by Controller Domain

[catalyst_center]
dnac-primary.corp.com

[meraki_cloud]
localhost

[sdwan_vmanage]
vmanage.corp.com

[catalyst_center:vars]
ansible_connection=local

[meraki_cloud:vars]
ansible_connection=local

[sdwan_vmanage:vars]
ansible_connection=local

All three groups use ansible_connection=local — all communication is HTTPS REST from the control node, not SSH to remote hosts. Meraki uses localhost because there is no on-premises Meraki server.

ansible-vault Credential Management

Store all secrets in an AES-256 encrypted vault file. Never commit plain-text API keys or passwords to version control.

ansible-vault: Plain Text → AES-256 Encrypted

vault.yml (pre-encryption)

vault_dnac_password: "SuperSecret123"
vault_meraki_api_key: "abc123..."
vault_vmanage_password: "SDWANPass!"

→ ansible-vault encrypt (AES-256 / password-derived key)

vault.yml (on disk)

$ANSIBLE_VAULT;1.1;AES256
3061383439333530626664353961643
3631386535396161663739396436356
3538303932663261663462343864373
...

Referenced as {{ vault_dnac_password }} — decrypted only at runtime with --ask-vault-pass or --vault-password-file

Master Orchestration with import_playbook

# site.yml — Master Multi-Controller Orchestration
- import_playbook: playbooks/catalyst_center/provision_sites.yml
- import_playbook: playbooks/meraki/deploy_networks.yml
- import_playbook: playbooks/sdwan/deploy_templates.yml
- import_playbook: playbooks/sdwan/health_check.yml

Use import_playbook (static, parse-time) for known sequences. Use include_tasks (dynamic, runtime) within roles when task selection depends on variables or conditions.

Error Handling with block/rescue/always

Multi-controller workflows can fail partway through. Use block/rescue/always — analogous to try/catch/finally — for graceful rollback and notifications regardless of outcome.

- block:
    - name: Provision device to Catalyst Center
      cisco.dnac.provision_workflow_manager:
        state: merged
        config:
          - management_ip_address: "{{ device_ip }}"
            site_name_hierarchy: "{{ site_path }}"
  rescue:
    - name: Remove device from inventory (rollback)
      cisco.dnac.inventory_workflow_manager:
        state: deleted
        config:
          - ip_address_list: ["{{ device_ip }}"]
  always:
    - name: Send Webex notification regardless of outcome
      uri:
        url: "{{ vault_webex_webhook }}"
        method: POST
        body_format: json
        body: {text: "Provisioning task completed for {{ device_ip }}"}

Execution Environments for AAP

For Red Hat Ansible Automation Platform at scale, build a custom Execution Environment container bundling all collections and SDK dependencies. AAP Workflow Templates then chain Catalyst Center → Meraki → SD-WAN jobs with conditional branching, RBAC, and event-driven automation.

Key Points — Section 4: Multi-Controller Patterns

Group inventory by controller domain (catalyst_center, meraki_cloud, sdwan_vmanage); all groups use ansible_connection=local
All secrets belong in group_vars/all/vault.yml encrypted with ansible-vault — never in plain-text playbooks or inventory files
import_playbook (static/parse-time) is for orchestration; include_tasks (dynamic/runtime) is for conditional task loading within roles
block/rescue/always provides rollback on partial failures — rescue runs only on failure, always runs regardless of outcome
Red Hat AAP Execution Environments bundle cisco.dnac, cisco.meraki, and dnacentersdk for consistent, portable multi-controller automation at enterprise scale

Post-Quiz — Consolidate Your Learning

Post-Quiz — Test What You Learned