diff --git a/README.md b/README.md index fabf1f8a2..68feaa41f 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ PEP440 is the schema used to describe the versions of Ansible. ### Supported connections -The Cisco IOS collection supports `network_cli` connections. +The Cisco IOS collection supports `network_cli` connections. A detailed platform guide can be found [here](https://github.com/ansible-collections/cisco.ios/blob/main/platform_guide.rst). ## Included content diff --git a/platform_guide.rst b/platform_guide.rst new file mode 100644 index 000000000..fd2b4eab0 --- /dev/null +++ b/platform_guide.rst @@ -0,0 +1,81 @@ +.. _ios_platform_options: + +*************************************** +IOS Platform Options +*************************************** + +The `Cisco IOS `_ collection supports Enable Mode (Privilege Escalation). This page offers details on how to use Enable Mode on IOS in Ansible. + +.. contents:: + :local: + +Connections available +================================================================================ + +.. table:: + :class: documentation-table + + ==================== ========================================== + .. CLI + ==================== ========================================== + Protocol SSH + + Credentials uses SSH keys / SSH-agent if present + + accepts ``-u myuser -k`` if using password + + Indirect Access by a bastion (jump host) + + Connection Settings ``ansible_connection: ansible.netcommon.network_cli`` + + |enable_mode| supported: use ``ansible_become: true`` with + ``ansible_become_method: enable`` and ``ansible_become_password:`` + + Returned Data Format ``stdout[0].`` + ==================== ========================================== + +.. |enable_mode| replace:: Enable Mode |br| (Privilege Escalation) + + +The ``ansible_connection: local`` has been deprecated. Please use ``ansible_connection: ansible.netcommon.network_cli`` instead. + +Using CLI in Ansible +==================== + +Example CLI ``group_vars/ios.yml`` +---------------------------------- + +.. code-block:: yaml + + ansible_connection: ansible.netcommon.network_cli + ansible_network_os: cisco.ios.ios + ansible_user: myuser + ansible_password: !vault... + ansible_become: true + ansible_become_method: enable + ansible_become_password: !vault... + ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"' + + +- If you are using SSH keys (including an ssh-agent) you can remove the ``ansible_password`` configuration. +- If you are accessing your host directly (not through a bastion/jump host) you can remove the ``ansible_ssh_common_args`` configuration. +- If you are accessing your host through a bastion/jump host, you cannot include your SSH password in the ``ProxyCommand`` directive. To prevent secrets from leaking out (for example in ``ps`` output), SSH does not support providing passwords through environment variables. + +Example CLI task +---------------- + +.. code-block:: yaml + + - name: Backup current switch config (ios) + cisco.ios.ios_config: + backup: yes + register: backup_ios_location + when: ansible_network_os == 'cisco.ios.ios' + +Warning +-------- +Never store passwords in plain text. We recommend using SSH keys to authenticate SSH connections. Ansible supports ssh-agent to manage your SSH keys. If you must use passwords to authenticate SSH connections, we recommend encrypting them with Ansible Vault. + +.. seealso:: + + :ref:`timeout_options` \ No newline at end of file