Finally, a word on jump hosts. It is common for network devices to be behind a bastion of jump hosts of some kind for important security reasons. Ansible provides a number of mechanisms for doing this, depending on the underlying network transport. For example, SSH connectivity (such as with Cumulus Linux switches) can make use of SSH's ability to proxy commands. There are several ways to achieve these, but the simplest is to add an additional group variable to the inventory. For example, if we can only access our Cumulus Linux switch via a host called bastion01, our inventory variables section would look like this:

[cumulus:vars]
ansible_user=cumulus
ansible_ssh_pass=CumulusLinux!
ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q bastion01"'

The preceding proxy command assumes that password-less authentication is already configured and working for bastion01.

SSH Proxy commands like this would work for other ansible_connection modes that are used in network device management, too, including netconf and network_cli, offering support for jump hosts to handle a wide range of network devices. As ever, the best method to be sure about the way to handle a specific type of connectivity is to check the documentation for your specific network device and follow the specific guidance therein.