6.5 Configuration Management Tools
Key Takeaways
- Ansible is agentless (uses SSH), uses YAML playbooks, and is ideal for network device configuration.
- Terraform is for infrastructure provisioning — it creates and manages cloud resources and network infrastructure declaratively.
- Ansible is procedural ('do these steps'); Terraform is declarative ('make the state look like this').
- Both tools support idempotency — running them multiple times produces the same result.
- Puppet and Chef are agent-based alternatives (less common for networking than Ansible).
Last updated: March 2026
Configuration Management Tools
Configuration management tools automate the deployment and maintenance of consistent configurations across network devices. The CCNA v1.1 specifically tests Ansible and Terraform.
Ansible
Ansible is an open-source automation tool that is particularly popular for network device configuration.
Key Characteristics
| Feature | Detail |
|---|---|
| Agentless | No software needs to be installed on managed devices — uses SSH |
| Language | YAML (for playbooks) and Python (engine) |
| Push-based | Controller pushes configurations to devices |
| Idempotent | Running the same playbook twice produces the same result |
| Developer | Red Hat (IBM) |
| Primary use | Configuration management, application deployment |
Ansible Components
| Component | Purpose |
|---|---|
| Inventory | List of managed devices (hosts, groups, IP addresses) |
| Playbook | YAML file defining the tasks to perform |
| Module | Pre-built function for a specific task (e.g., ios_config for Cisco IOS) |
| Task | A single action within a playbook |
| Role | Reusable collection of tasks, templates, and variables |
Example Ansible Playbook (Network)
---
- name: Configure VLANs on switches
hosts: access_switches
gather_facts: no
tasks:
- name: Create VLAN 10
cisco.ios.ios_vlans:
config:
- vlan_id: 10
name: SALES
state: active
state: merged
- name: Configure access port
cisco.ios.ios_config:
lines:
- switchport mode access
- switchport access vlan 10
parents: interface GigabitEthernet0/1
Terraform
Terraform is an infrastructure-as-code tool for provisioning and managing infrastructure resources.
Key Characteristics
| Feature | Detail |
|---|---|
| Declarative | You define the desired state; Terraform figures out how to get there |
| Provider-based | Plugins for cloud (AWS, Azure, GCP) and network (Cisco, Juniper) |
| State file | Tracks the current state of managed resources |
| Plan before apply | Shows what will change before making changes |
| Developer | HashiCorp |
| Primary use | Infrastructure provisioning (cloud resources, VMs, networks) |
Terraform Workflow
- Write — Define infrastructure in .tf files (HCL language)
- Plan — Preview what changes will be made (
terraform plan) - Apply — Execute the changes (
terraform apply) - Destroy — Remove all managed resources (
terraform destroy)
Example Terraform Configuration
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
tags = {
Name = "Production-VPC"
}
}
resource "aws_subnet" "web" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
tags = {
Name = "Web-Subnet"
}
}
Ansible vs. Terraform
| Feature | Ansible | Terraform |
|---|---|---|
| Approach | Procedural (step-by-step tasks) | Declarative (desired state) |
| Primary use | Configuration management | Infrastructure provisioning |
| Agent | Agentless (SSH) | Agentless (API calls) |
| Language | YAML | HCL (HashiCorp Configuration Language) |
| State tracking | No state file | Yes (terraform.tfstate) |
| Network support | Excellent (many modules for Cisco, Arista, Juniper) | Growing (providers for cloud networking) |
| Best for networking | Day-2 operations (configuring existing devices) | Day-0 provisioning (creating infrastructure) |
When to Use Each
| Scenario | Tool |
|---|---|
| Configure VLANs on 100 switches | Ansible |
| Deploy OSPF across the network | Ansible |
| Provision a new VPC in AWS with subnets and security groups | Terraform |
| Create a new virtual network in Azure | Terraform |
| Push ACL updates to all firewalls | Ansible |
| Stand up a complete cloud infrastructure from scratch | Terraform |
Other Configuration Management Tools
| Tool | Agent | Language | Model |
|---|---|---|---|
| Puppet | Agent-based (Ruby agent on managed nodes) | Ruby / Puppet DSL | Declarative, pull-based |
| Chef | Agent-based (Ruby agent on managed nodes) | Ruby | Procedural, pull-based |
| SaltStack | Agent-based or agentless | YAML/Python | Declarative or procedural |
On the Exam: Know that Ansible is agentless (uses SSH), uses YAML playbooks, and is ideal for network device configuration. Terraform is declarative, uses state files, and is primarily for infrastructure provisioning. Both support idempotency.
Test Your Knowledge
Which configuration management tool is agentless and uses SSH to connect to network devices?
A
B
C
D
Test Your Knowledge
What is the primary difference between Ansible and Terraform?
A
B
C
D