Mon-Fri 09:00 - 18:00
meet with us
TutorialCiscoAutomationCCNPDevNet

Automating Cisco IOS Upgrades with Ansible

"Learn how to write an Ansible playbook to safely and reliably upgrade Cisco IOS firmware across hundreds of switches simultaneously."

GSV Professionals
GSV Professionals
DevOps Team
Published
Read Time
15 min read
Automating Cisco IOS Upgrades with Ansible

Managing firmware lifecycle on network infrastructure can be incredibly tedious. In this tutorial, we will use Ansible to automate this process.

1. Setting up the Ansible Environment

First, ensure you have the required Ansible collections installed on your control node.

code.bash
1ansible-galaxy collection install cisco.ios

Inventory File

Let's define our switches in inventory.yaml:

code.yaml
1all:
2 children:
3 switches:
4 hosts:
5 switch-01:
6 ansible_host: 192.168.1.10
7 switch-02:
8 ansible_host: 192.168.1.11

2. Writing the Upgrade Playbook

Our playbook needs to check the current version, upload the new binary, and reload the switch if necessary.

code.yaml
1- name: Upgrade Cisco IOS
2 hosts: switches
3 tasks:
4 - name: Gather facts
5 cisco.ios.ios_facts:
6 gather_subset: hardware
7
8 - name: Copy firmware image via SCP
9 ansible.netcommon.net_put:
10 src: "/images/c3560cx-universalk9-mz.152-7.E3.bin"
11 dest: "flash:/c3560cx-universalk9-mz.152-7.E3.bin"
12 when: ansible_net_version != "15.2(7)E3"

Let's run the playbook in check mode first to see what would happen:

terminal.stream::system_env
CONSOLE
Router# 
$ ansible-playbook -i inventory.yaml upgrade.yaml --check
PLAY [Upgrade Cisco IOS] *******************************************************
TASK [Gather facts] ************************************************************
ok: [switch-01]
ok: [switch-02]
TASK [Copy firmware image via SCP] **********************************************
skipping: [switch-01]
changed: [switch-02]
PLAY RECAP *********************************************************************
switch-01                  : ok=1    changed=0    unreachable=0    failed=0
switch-02                  : ok=2    changed=1    unreachable=0    failed=0

Notice how switch-01 was skipped because it already has the correct version!

Enterprise Scaling of Ansible Playbooks

As network automation scales from basic ad-hoc scripts to enterprise-wide infrastructure-as-code, consider these best practices:

  1. Ansible Vault: Encrypt sensitive credentials, API tokens, and private SSH keys using Ansible Vault to prevent sensitive information from being committed to Git repositories in plain text.
  2. Version-Controlled Inventories: Maintain dynamic inventories within Git, utilizing pull requests and peer review to audit network change proposals before they are executed.
  3. Dry-Run Validation: Always execute your playbooks in --check (dry-run) mode within staging environments to verify intended configurations and prevent accidental modifications in production.

This structured automation pipeline ensures repeatable, compliant, and error-free network administration across your entire global switch and router fleet.

Tags:#Cisco#Automation#Tutorial
Table of Contents
5 SECTIONS0% READ

You Might Also Like

Google I/O 2026: The Age of Gemini 3.5 and Real-Time AgentsNewsGoogle Cloud
AI and cloud computing
Google I/O 2026: The Age of Gemini 3.5 and Real-Time Agents

A deep dive into the massive announcements from Google I/O 2026, including Gemini 3.5 Pro, Gemini 3.5 Flash, and Project Astra.

GSV Professionals
GSV ProfessionalsDevelopment Team
6 min
Industry Shift: Cisco Officially Completes Acquisition of SplunkNewsCisco
Cybersecurity
CISSP
Industry Shift: Cisco Officially Completes Acquisition of Splunk

The $28 billion acquisition aims to supercharge Cisco’s security and observability portfolios, uniting network telemetry with advanced SIEM analytics.

GSV Professionals
GSV ProfessionalsInfrastructure & Security Team
6 min
A Comprehensive Guide to NGINX Ingress on KubernetesTutorialKubernetes
Cloud Infrastructure
CKACKS
A Comprehensive Guide to NGINX Ingress on Kubernetes

Step-by-step tutorial on deploying and configuring the NGINX Ingress Controller to route external traffic to your microservices securely.

GSV Professionals
GSV ProfessionalsDevOps Team
10 min
View More Blogs

Get In Touch

+

Years Experience

+

Device Managed

+

Network Secured

+

Happy Clients