IOS Platform Options

The Cisco IOS collection supports Enable Mode (Privilege Escalation). This page offers details on how to use Enable Mode on IOS in Ansible.

Connections available

CLI

Protocol

SSH

Credentials

uses SSH keys / SSH-agent if present

accepts -u myuser -k if using password

Indirect Access

via a bastion (jump host)

Connection Settings

ansible_connection: ansible.netcommon.network_cli

Enable Mode
(Privilege Escalation)

supported: use ansible_become: yes with ansible_become_method: enable and ansible_become_password:

Returned Data Format

stdout[0].

The ansible_connection: local has been deprecated. Please use ansible_connection: ansible.netcommon.network_cli instead.

Using CLI in Ansible

Example CLI group_vars/ios.yml

ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.ios.ios
ansible_user: myuser
ansible_password: !vault...
ansible_become: yes
ansible_become_method: enable
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"'
  • If you are using SSH keys (including an ssh-agent) you can remove the ansible_password configuration.

  • If you are accessing your host directly (not through a bastion/jump host) you can remove the ansible_ssh_common_args configuration.

  • If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ProxyCommand directive. To prevent secrets from leaking out (for example in ps output), SSH does not support providing passwords via environment variables.

Example CLI task

- name: Backup current switch config (ios)
  cisco.ios.ios_config:
    backup: yes
  register: backup_ios_location
  when: ansible_network_os == 'cisco.ios.ios'

Warning

Never store passwords in plain text. We recommend using SSH keys to authenticate SSH connections. Ansible supports ssh-agent to manage your SSH keys. If you must use passwords to authenticate SSH connections, we recommend encrypting them with Ansible Vault.