Sign in Subscribe

Understanding Ansible, Puppet, and Chef for CCNA 200-301: The Practical Automation Mindset Cisco Wants You to Know

Understanding Ansible, Puppet, and Chef for CCNA 200-301: The Practical Automation Mindset Cisco Wants You to Know

1. Introduction: why automation matters in modern networks

Honestly, today’s networks are usually too large, too distributed, and too constantly changing to manage well with copy-and-paste alone. Manual CLI work still matters, absolutely, but once you’re making the same change across dozens of routers and switches, the chances of inconsistency, drift, and those classic late-night mistakes go way up. That’s why automation matters so much—it makes changes repeatable, reduces human error, and honestly makes auditing and validation a whole lot easier.

For CCNA 200-301, the big thing to remember is that you’re not being asked to become a programmer. What Cisco does expect is that you understand where network operations are heading: more APIs, more controller-based workflows, more configuration management, and a lot less reliance on one-off manual changes. Ansible, Puppet, and Chef all have a role in that story. That said, they’re not equally common when it comes to direct Cisco device automation. In day-to-day Cisco work, I’ve seen Ansible and API- or controller-based automation show up a lot more often than Puppet or Chef when it comes to actually changing devices. That said, Puppet and Chef still matter because they’re really good examples of desired-state, policy-driven configuration management, and that idea comes up everywhere in automation.

2. Core concepts you need first

Infrastructure as Code (IaC) means defining infrastructure in files that can be versioned, reviewed, and reused. In networking terms, that could mean putting things like VLANs, ACLs, NTP, syslog, or your standard interface settings into code instead of retyping the same CLI commands over and over again. And honestly, if you’ve ever done that across multiple branches, you know how quickly that gets old.

Configuration management is the process of establishing and maintaining approved configuration over time. Configuration drift happens when the live device state no longer matches the approved baseline.

Orchestration is broader than configuration management. It coordinates multiple steps across multiple systems. For example, a branch rollout might include switch configs, DHCP updates, firewall rules, monitoring setup, and even documentation updates, all lined up in the right order so you don’t accidentally skip a step. That sequencing part is actually a big deal in the real world.

Idempotency means repeating an action should leave the system in the same correct state. And here’s the really important part: idempotency usually comes down to the module or resource you’re using, not just the tool name on its own. So, same tool, different behavior depending on how you use it. A state-aware resource is usually safer than a raw command push.

Desired state means defining how something should look rather than listing every step manually. Puppet is strongly associated with this model. Chef also uses resource-based convergence toward desired state, though many engineers experience it as more procedural than Puppet. Ansible can absolutely produce declarative-style results through a lot of its idempotent modules, but the framework itself is still more task-oriented than purely declarative.

Push vs pull: in push automation, a central system sends changes to devices now. In pull or periodic convergence models, agents or clients check in and apply policy over time. Push fits maintenance windows well. Pull fits continuous enforcement well.

Agentless vs agent-based: agentless tools connect using existing management methods such as SSH, NETCONF, or APIs. Agent-based tools, on the other hand, rely on software running on the managed node itself. That matters because traditional Cisco routers and switches usually don’t run Puppet or Chef agents natively the way servers do, which is one big reason Ansible tends to feel more natural for network teams.

CLI-based vs model-driven automation: CLI automation pushes commands, often over SSH. Model-driven automation uses structured interfaces like NETCONF and RESTCONF, and those are often tied to YANG data models. Structured data is easier to validate and parse, sure, but support still varies by Cisco platform, software version, and whether the feature’s actually enabled. SSH is almost universal; NETCONF and RESTCONF definitely aren’t.

3. CCNA blueprint relevance and scope

For the exam, you definitely want to know how Ansible, Puppet, and Chef differ, but you don’t need to dive way down into Puppet or Chef syntax. CCNA is looking for the big-picture understanding, not whether you can write production-grade automation from memory. CCNA automation coverage is introductory. What Cisco’s really testing is whether you understand configuration management, controller-based networking, REST APIs, JSON, and model-driven interfaces at a high level.

What to know well: Ansible is commonly agentless and push-based; Puppet and Chef are commonly agent-driven with periodic convergence; REST APIs use structured data such as JSON; NETCONF and RESTCONF are model-driven management interfaces, often associated with YANG; automation improves consistency and reduces repetitive manual work.

What not to over-study: deep Puppet manifest syntax, advanced Chef Ruby patterns, or enterprise-scale implementation details beyond the basic architecture and use case differences.

4. Ansible explained

Ansible is the tool most CCNA candidates should associate most strongly with network automation. It runs from a control node and targets managed nodes using inventories, variables, modules, and playbooks. For Cisco networking, it is popular because it is usually agentless and works with management methods devices already expose.

Ansible commonly talks to Cisco devices using:

  • SSH/CLI with ansible.netcommon.network_cli
  • NETCONF with ansible.netcommon.netconf
  • HTTPAPI/REST-style access with ansible.netcommon.httpapi when supported

For network automation, you usually also define ansible_network_os so Ansible knows which platform-specific behavior and collection to use, such as cisco.ios.ios. These days, modern Ansible network automation leans heavily on maintained collections instead of the older legacy module naming patterns.

Ansible uses playbooks written in YAML. A playbook targets hosts from an inventory and runs tasks through modules. It can also use templates with Jinja2 for site-specific values, roles for reusable structure, tags for selective execution, and handlers for triggered actions. In network workflows, gather_facts is often disabled or replaced with network-specific fact gathering because standard server facts are not always relevant.

The easiest way to think about Ansible is as a task-execution framework that usually helps you land on an idempotent result. For example, a resource-aware module can make sure a VLAN exists, while a raw CLI push may just send commands and depend on command matching if you rerun it. That means idempotency is stronger with state-aware modules than with generic config blocks.

Here’s a tiny Cisco example just to make that feel less abstract:

[switches] dist-sw1 ansible_host=10.10.10.11 dist-sw2 ansible_host=10.10.10.12 [switches:vars] ansible_connection=ansible.netcommon.network_cli ansible_network_os=cisco.ios.ios ansible_user=netauto ansible_become=yes ansible_become_method=enable - name: Set interface description and validate hosts: switches gather_facts: no tasks: - name: Backup running config cisco.ios.ios_config: backup: yes - name: Configure uplink description cisco.ios.ios_config: parents: interface GigabitEthernet1/0/1 lines: - description Uplink to Distribution - name: Validate interface description cisco.ios.ios_command: commands: - show running-config interface GigabitEthernet1/0/1

This example is still simplified. In production, you also need credentials handling, access control, testing, and platform compatibility checks. The important exam takeaway is that Ansible can push repeatable changes, back up config, and run post-change validation without installing agents on the device.

Why Ansible is so common in Cisco environments:

  • No need to install a traditional agent on routers and switches
  • Fits maintenance-window push workflows well
  • Readable YAML lowers the barrier for network teams
  • It can work with CLI, APIs, and model-driven interfaces, depending on what that platform actually supports.

Limits and cautions: bad inventory can target the wrong devices, YAML indentation errors can break jobs, privilege escalation may be required, and API support varies by platform. IOS XE and NX-OS often align better with modern API/model-driven workflows than older or more limited platforms. ASA support exists in some workflows but is less central to modern CCNA automation discussions than IOS XE and controller/API topics.

5. Puppet explained

Puppet is a configuration management platform centered on desired state and ongoing enforcement. A typical Puppet deployment uses a Puppet Server and Puppet Agents. Agents check in periodically, receive a compiled catalog of intended resources, compare it to local state, and converge toward the approved baseline.

Puppet uses manifests written in Puppet DSL. It’s strong for server and operating system configuration, certificate-based trust, reporting, and drift remediation. In enterprise environments, Puppet can detect when something has changed outside policy and move it back toward the approved state on the next convergence cycle.

For CCNA, the important nuance is this: Puppet is historically much more prominent in server and OS management than in direct Cisco router and switch management. Traditional Cisco network devices generally don’t run Puppet agents natively the way Linux servers do, which is a pretty important distinction. So when you’re studying networking, it’s usually best to think of Puppet as a conceptual example of declarative, policy-driven configuration management rather than the tool you’d most often reach for to automate Cisco devices directly.

Exam takeaway: Puppet = commonly agent-based, manifest-driven, check-in/convergence model, strong desired-state enforcement.

6. Chef explained

Chef is another infrastructure automation and configuration management platform, also more common in server and hybrid infrastructure operations than in direct Cisco device CLI work. Chef typically uses a Workstation, Chef Server, and Chef Client. Clients register, check in, process a run list, and converge resources toward the intended state.

Chef content is written in a Ruby DSL using Chef resources. Its main building blocks are cookbooks, recipes, and attributes. Chef supports policy-as-code, testing workflows, and controlled promotion of changes through environments.

Like Puppet, Chef is important for understanding the automation landscape, but CCNA candidates should not assume it is a mainstream first-choice tool for pushing day-to-day Cisco switch changes. It is more accurate to view Chef as a policy and convergence platform with stronger roots in server automation.

Exam takeaway: Chef = commonly agent-based, client/server model, Ruby DSL, cookbooks and recipes, convergence toward policy-defined state.

7. Side-by-side comparison

Tool Typical model Agent requirement Main artifact Primary domain Direct Cisco device fit CCNA relevance
Ansible Push/task execution Usually agentless Playbook Multi-system automation High Highest of the three for practical network automation
Puppet Periodic convergence/check-in Usually agent-based Manifest Server/OS configuration management Low to conceptual Know the model and terminology
Chef Client/server convergence Usually agent-based Recipe/Cookbook Policy-driven infrastructure automation Low to conceptual Know the model and terminology

Short version: if the scenario is “push VLAN and interface changes to Cisco switches without installing software on them,” think Ansible. If the scenario is “continuously enforce approved state on systems through periodic client check-ins,” think Puppet or Chef.

8. How these tools apply in Cisco environments

In Cisco operations, the most realistic workflow is usually Ansible plus APIs, controllers, and model-driven interfaces where available. Cisco Catalyst Center, Meraki dashboards, REST APIs, NETCONF, and RESTCONF all fit the broader automation picture. Automation tools do not replace controllers; they often complement them.

Typical Cisco use cases for Ansible:

  • Day 0/1 baseline deployment: hostname, management access, NTP, syslog, banner, SNMPv3
  • Bulk VLAN, interface, and ACL rollout
  • Config backup before changes
  • Pre-check and post-check validation using show commands
  • Compliance checks and drift reporting

A practical branch example: deploy NTP, syslog, and a banner to twenty IOS XE switches, validate the resulting running config, and store backups before and after the change. That is classic Ansible territory.

CLI push vs model-driven example: with CLI automation, you may push lines under an interface using ios_config. With model-driven automation, you interact with structured data exposed through NETCONF or RESTCONF. NETCONF and RESTCONF are not just generic APIs; they are management interfaces commonly tied to YANG models. Structured automation is easier to parse and validate, but only if the platform and software release support it and it is enabled.

Drift and compliance: on network devices, drift remediation is often harder than on servers because emergency CLI changes, command ordering, and feature dependencies can complicate convergence. That is another reason validation matters so much in networking.

9. Automation safety, scale, and security

Good automation is not just about sending config. It is about limiting blast radius and protecting privileged access.

Safety controls:

  • Back up configuration before change
  • Test on a lab or canary group first
  • Use serial or batched rollout instead of touching every device at once
  • Run pre-checks and post-checks
  • Plan rollback, such as archived config restore or config replace where supported

Scale considerations: Ansible can run tasks in parallel, but too much concurrency can overload devices or session limits. That’s why larger deployments usually lean on batching, tuned timeouts, and staged site-by-site execution instead of just blasting every device at the same time.

Security best practices:

  • Don’t leave plaintext passwords sitting in inventories or playbooks.
  • Use Ansible Vault or some other external secrets manager instead.
  • Prefer SSH keys where possible
  • Use HTTPS and TLS anytime you’re talking to APIs, because securing that transport isn’t optional.
  • Whenever you can, go with SNMPv3 instead of SNMPv1 or SNMPv2c, since the older versions really don’t give you the same security protections.
  • Give automation accounts RBAC and least-privilege access instead of broad admin rights unless you truly need that level of access. In practice, that’s one of those small decisions that can save you a lot of pain later.
  • Log and audit automation actions

You should treat the automation controller as a high-value system. If it can change production devices, it needs strong access control, patching, segmentation, and solid auditability.

10. When automation jobs fail

A structured troubleshooting workflow will save you a ton of time, so it’s absolutely worth sticking to one:

  • Reachability: can you ping the management IP, SSH to the device, or reach the API endpoint?
  • Authentication and authorization: are the username, key, token, and privilege level correct?
  • Inventory and variables: is the device in the right group, and is ansible_network_os correct?
  • Transport: should this job use network_cli, netconf, or httpapi?
  • Syntax: check YAML indentation, module parameters, and template rendering
  • Platform support: is the module or API supported by this OS and version?
  • Validation: did the device state actually change as expected?

Common failure examples include missing enable mode, unsupported commands, wrong inventory group, and API features not enabled on the device. In Ansible, verbose execution helps: ansible-playbook -vvv is a common first diagnostic step. And don’t forget this important point: just because the transport worked doesn’t mean the result is correct, so always verify the post-change state.

11. Exam tips and rapid review

High-yield memorization:

  • Ansible = agentless in most network use cases, push-based, YAML playbooks
  • Puppet = commonly agent-based, manifests, periodic check-in, strong desired state
  • Chef = commonly agent-based, Ruby DSL, recipes/cookbooks, convergence model

Exam traps:

  • Agentless does not mean no authentication or no security planning
  • Ansible is not purely declarative; many modules are idempotent, but not every task is
  • Idempotent does not mean every raw CLI push is safe to rerun
  • Puppet and Chef are important conceptually, but less common for direct Cisco device automation
  • NETCONF and RESTCONF are model-driven interfaces, often tied to YANG

Quick terminology drill: playbook = Ansible, manifest = Puppet, recipe/cookbook = Chef.

One-sentence summary for the exam: Ansible is the network-friendly, commonly agentless push tool; Puppet and Chef are better known as agent-driven configuration-management platforms focused on ongoing state enforcement.

12. Conclusion

Ansible, Puppet, and Chef all belong to the broader move toward automated, repeatable operations, but they are not used the same way in Cisco environments. For CCNA, prioritize understanding Ansible, APIs, JSON, controller-based networking, and the basics of NETCONF/RESTCONF. Know Puppet and Chef as examples of configuration-management and convergence models, not as the most common direct Cisco device tools. If you keep that distinction clear, you will be aligned with both the exam and real-world network operations.