SkillRepo
Sign InSign Up
Catalog
affaan-m/netmiko-ssh-automation

affaan-m

netmiko-ssh-automation

Safe Python Netmiko patterns for read-only collection, bounded batch SSH, TextFSM parsing, guarded config changes, timeouts, and network automation error handling.

global
0installs0uses~1.5k
v1.0Saved May 15, 2026

Netmiko SSH Automation

Use this skill when writing or reviewing Python automation that connects to network devices with Netmiko. Keep the default path read-only; config changes need a separate change window, peer review, and rollback plan.

When to Use

  • Collecting show command output across routers, switches, or firewalls.
  • Building a small audit script for interface, routing, or config evidence.
  • Adding timeouts and exception handling to network SSH scripts.
  • Parsing command output with TextFSM when a template exists.
  • Reviewing automation before it touches production devices.

Safety Defaults

  • Start with read-only send_command() collection.
  • Keep inventory small and explicit; do not sweep whole address ranges.
  • Use environment variables, a vault, or getpass; never hardcode credentials.
  • Set connection and read timeouts.
  • Limit concurrency so older devices are not overloaded.
  • Require an explicit operator flag before send_config_set().
  • Do not call save_config() until the change has been verified and approved.

Read-Only Connection Pattern

import os
from getpass import getpass
from netmiko import ConnectHandler
from netmiko.exceptions import (
    NetmikoAuthenticationException,
    NetmikoTimeoutException,
    ReadTimeout,
)

device = {
    "device_type": "cisco_ios",
    "host": "192.0.2.10",
    "username": os.environ.get("NETMIKO_USERNAME") or input("Username: "),
    "password": os.environ.get("NETMIKO_PASSWORD") or getpass("Password: "),
    "secret": os.environ.get("NETMIKO_ENABLE_SECRET"),
    "conn_timeout": 10,
    "auth_timeout": 20,
    "banner_timeout": 15,
    "read_timeout_override": 30,
}

try:
    with ConnectHandler(**device) as conn:
        if device.get("secret") and not conn.check_enable_mode():
            conn.enable()
        output = conn.send_command("show ip interface brief", read_timeout=30)
        print(output)
except NetmikoAuthenticationException:
    print("Authentication failed")
except NetmikoTimeoutException:
    print("SSH connection timed out")
except ReadTimeout:
    print("Command read timed out")

Use placeholder addresses from documentation ranges in examples. Keep real inventory in an ignored local file or a secrets-managed system.

Batch Collection

from concurrent.futures import ThreadPoolExecutor, as_completed
from typing import Any

def collect_show(device: dict[str, Any], command: str) -> dict[str, Any]:
    host = device["host"]
    try:
        with ConnectHandler(**device) as conn:
            output = conn.send_command(command, read_timeout=45)
        return {"host": host, "ok": True, "output": output}
    except (NetmikoAuthenticationException, NetmikoTimeoutException, ReadTimeout) as exc:
        return {"host": host, "ok": False, "error": type(exc).__name__}

results = []
with ThreadPoolExecutor(max_workers=8) as pool:
    futures = [pool.submit(collect_show, device, "show version") for device in devices]
    for future in as_completed(futures):
        results.append(future.result())

Keep max_workers low unless the device estate and AAA systems are known to handle higher connection volume.

Structured Parsing

Netmiko can ask TextFSM, TTP, or Genie to parse supported command output. Treat parser output as an optimization, not the only evidence path.

with ConnectHandler(**device) as conn:
    parsed = conn.send_command(
        "show ip interface brief",
        use_textfsm=True,
        raise_parsing_error=False,
        read_timeout=30,
    )

if isinstance(parsed, str):
    print("No parser template matched; store raw output for review")
else:
    for row in parsed:
        print(row)

If parsing drives a blocking decision, keep the raw command output alongside the parsed result so an operator can inspect mismatches.

Guarded Config Pattern

import os

commands = [
    "interface GigabitEthernet0/1",
    "description CHANGE-1234 UPLINK-TO-CORE",
]

apply_changes = os.environ.get("APPLY_NETWORK_CHANGES") == "1"

if not apply_changes:
    print("Dry run only. Candidate commands:")
    print("\n".join(commands))
else:
    with ConnectHandler(**device) as conn:
        conn.enable()
        before = conn.send_command("show running-config interface GigabitEthernet0/1")
        output = conn.send_config_set(commands)
        after = conn.send_command("show running-config interface GigabitEthernet0/1")
        print(before)
        print(output)
        print(after)
        print("Verify behavior before saving startup config.")

Saving the config is a separate approval step. In production, include a rollback snippet and capture before/after evidence in the change record.

Review Checklist

  • Does the script identify an explicit inventory source?
  • Are credentials absent from source, logs, and exception messages?
  • Are conn_timeout, auth_timeout, and command read_timeout set?
  • Are failures reported per device without stopping the whole batch?
  • Does the script avoid broad scans and unbounded concurrency?
  • Are config changes behind a dry-run or explicit operator flag?
  • Is save_config() separate from the initial push and tied to verification?

Anti-Patterns

  • Hardcoding passwords, enable secrets, or private keys in source.
  • Sending config commands as the default code path.
  • Running automation against a CIDR range instead of a reviewed inventory.
  • Logging full running configs to shared systems without sanitization.
  • Treating parser success as proof that the device state is correct.

See Also

  • Skill: cisco-ios-patterns
  • Skill: network-config-validation
  • Skill: network-interface-health
Files1
1 files · 1.0 KB

Select a file to preview

Grade adjusted by static analysis guardrails

AI scored this skill as grade B, but static analysis findings capped it to C:

  • Hardcoded credentials or secrets detected in content (max: C)

Overall Score

82/100

Grade

C

Adequate

Safety

85

Quality

82

Clarity

78

Completeness

76

Summary

A Python Netmiko skill that teaches safe patterns for network device SSH automation, including read-only command collection, batched operations with concurrency controls, TextFSM parsing, and guarded configuration changes with timeouts and error handling.

Static Analysis Findings

1 finding

Patterns detected by deterministic static analysis before AI scoring. Hover over any finding code for detailed information and remediation guidance.

Credential Exposure
SEC-023Plaintext Password or SecretMax: C

Password or secret in plaintext

SKILL.mdPassword: "),
85% confidenceCWE-256: Plaintext Storage of a Password

Detected Capabilities

SSH connection with environment-driven credentialsPython package import (Netmiko, concurrent.futures, TextFSM)Network command execution (read-only and config)Structured data parsing (TextFSM, TTP, Genie)Concurrent ThreadPoolExecutor with bounded workersCredential prompting via getpass moduleBefore/after config state capture

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

netmiko ssh automationnetwork device collectionbatch ssh commandscisco ios parsingnetwork config review

Risk Signals

INFO

getpass() credential prompting pattern in code example

SKILL.md line ~32: getpass('Password: ')
INFO

Password placeholder in code example (illustrative only)

SKILL.md line ~32 in getpass() call
INFO

Environment variable credential access (best-practice pattern)

SKILL.md lines ~27-28: os.environ.get() calls

Use Cases

  • Collecting show commands across multiple network devices with batching and error resilience
  • Building read-only audit scripts to verify interface, routing, or config state
  • Adding robust timeout and exception handling to Netmiko SSH operations
  • Parsing structured output from network devices using TextFSM templates
  • Reviewing automation scripts before production deployment to identify credential exposure and scope issues

Quality Notes

  • Strong emphasis on security defaults: credentials via environment or getpass, never hardcoded
  • Clear separation of read-only vs. guarded config patterns with dry-run protection
  • Concurrency bounded explicitly (max_workers=8) to prevent device overload
  • Structured examples with proper exception handling for authentication, timeout, and read failures
  • Review checklist provides clear auditing criteria for agent or human reviewer
  • Anti-patterns section explicitly rejects hardcoding and unbounded scans
  • TextFSM parsing guidance warns against treating parser success as ground truth
  • Limitation: does not cover multi-vendor device types or custom error handling for specific device behaviors
  • Good use of placeholder IP ranges (192.0.2.0/24 documentation range) in examples
Model: claude-haiku-4-5-20251001Analyzed: May 15, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add affaan-m/netmiko-ssh-automation to your library

Get Started Free

Command Palette

Search for a command to run...