Why Automate?
You have 50 switches. A security audit requires adding a new ACL entry to every one. Manually: log in to each switch, navigate to the right config context, type the command, verify, log out. Two minutes per switch, zero mistakes tolerated, 50 switches โ that's a 100-minute task with a non-trivial chance of a typo causing an outage. Automated: write the script once, test on one switch, run against all 50 in under a minute, log every change automatically.
This is the actual value proposition of network automation. Not eliminating engineers โ eliminating the class of work that's too repetitive to be interesting and too consequential to be careless.
The Core Libraries
Netmiko is the starting point for most network engineers. It handles SSH connections to network devices and abstracts away the vendor-specific quirks โ the different prompts, the pagination issues, the enable modes. Netmiko supports Cisco IOS/IOS-XE/NX-OS, Arista EOS, Juniper JunOS, Palo Alto, and dozens of others. It's the simplest way to send commands and receive output programmatically.
NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support) sits above the connection layer. It provides a standardised API across vendors โ get_interfaces() returns the same data structure whether you're talking to a Cisco, Juniper, or Arista device. It also handles configuration deployment with built-in diff and rollback capabilities.
Nornir is a task execution framework designed for network automation. Where Netmiko and NAPALM operate on single devices, Nornir manages the inventory, parallel execution, and result handling for running tasks across entire networks. Think of it as the orchestration layer.
requests + REST APIs โ increasingly, modern network equipment exposes REST APIs (Cisco DNA Center, Meraki, Arista eAPI, Juniper SLAX). Plain Python requests calls with JSON payloads are often cleaner than SSH-based approaches for supported platforms.
Your First Netmiko Script
Install Netmiko: pip install netmiko
from netmiko import ConnectHandler
device = {
"device_type": "cisco_ios",
"host": "192.168.1.1",
"username": "admin",
"password": "yourpassword",
"secret": "enablepassword", # if needed
}
with ConnectHandler(**device) as net_connect:
net_connect.enable()
output = net_connect.send_command("show ip interface brief")
print(output)That's it. ConnectHandler opens the SSH session, handles the login, and detects the prompt automatically. send_command() sends the command and returns the output as a string. The with statement cleanly closes the connection when done.
Sending Configuration Changes
config_commands = [
"interface GigabitEthernet0/1",
"description Uplink to Core",
"no shutdown",
]
with ConnectHandler(**device) as net_connect:
net_connect.enable()
output = net_connect.send_config_set(config_commands)
print(output)send_config_set() enters config mode, sends each command in the list, then returns to enable mode. Netmiko handles the mode transitions automatically. Pass a list of any commands you'd type manually โ VLAN configs, ACLs, interface descriptions, NTP servers, whatever the task requires.
Running Against Multiple Devices
import json
from netmiko import ConnectHandler
devices = [
{"device_type": "cisco_ios", "host": "10.0.0.1", "username": "admin", "password": "pass"},
{"device_type": "cisco_ios", "host": "10.0.0.2", "username": "admin", "password": "pass"},
{"device_type": "arista_eos", "host": "10.0.0.3", "username": "admin", "password": "pass"},
]
results = {}
for device in devices:
with ConnectHandler(**device) as conn:
output = conn.send_command("show version")
results[device["host"]] = output
# Save results to file
with open("audit_results.json", "w") as f:
json.dump(results, f, indent=2)
print(f"Collected data from {len(results)} devices")Loop over your device list, collect output, save to a file. This is the pattern for configuration audits, compliance checks, and data collection. For large device counts, look at Python's concurrent.futures to run connections in parallel โ connecting to 200 devices sequentially takes minutes; in parallel it takes seconds.
Parsing Output with TextFSM and ntc-templates
Raw command output is a string. Turning it into structured data (Python dicts/lists you can query programmatically) requires parsing. TextFSM is a template-based parser; ntc-templates is a collection of pre-built TextFSM templates for hundreds of common network commands.
output = net_connect.send_command(
"show ip interface brief",
use_textfsm=True # returns a list of dicts instead of a raw string
)
for interface in output:
print(f"{interface['intf']:20} {interface['ipaddr']:15} {interface['status']}")With use_textfsm=True, Netmiko automatically parses the output into a list of dictionaries. No string manipulation required.
What to Automate First
Start with read-only tasks โ no risk, immediate value. Configuration backups (run show running-config on every device nightly, save to a git repo) are genuinely useful, genuinely non-trivial to do manually at scale, and zero-risk since you're not changing anything. Build from there to compliance checks, then to change automation once you're confident in your testing workflow.
The investment pays off fastest when you have more than 10 devices and the tasks are repetitive. With 3 switches you can probably justify doing it manually. With 50+, you can't.