Netmiko
Multi-vendor SSH library for network device automation — connects to routers, switches, and firewalls via SSH. Netmiko features: ConnectHandler for device connections (device_type, host, username, password), send_command() for show commands, send_config_set() for configuration, enable() for privileged mode, save_config(), textfsm/genie integration for structured output, connection pooling, timeout handling, expect_string patterns, 50+ vendor device types (cisco_ios, cisco_nxos, juniper_junos, arista_eos, paloalto_panos, linux), BaseConnection context manager, and SSH key auth. Python SSH automation for network infrastructure management in agent network operations.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Network device SSH automation with privileged access — highest security risk category. Credentials must come from secrets manager (HashiCorp Vault, AWS Secrets Manager), never hardcoded. SSH host key verification should be enabled for production. Network device access logs all commands — ensure agent action audit trail. Limit agent account to required privilege level.
⚡ Reliability
Best When
Automating configuration management, inventory collection, or compliance checks on SSH-accessible network devices — Netmiko abstracts vendor SSH differences and provides structured command execution for agent network operations workflows.
Avoid When
Devices support REST/NETCONF APIs (use those instead), you need high-frequency polling (use SNMP/gNMI), or you need concurrent device automation at scale (use Nornir with Netmiko).
Use Cases
- • Agent network inventory — with ConnectHandler(device_type='cisco_ios', host='10.0.0.1', username='admin', password=creds) as net_connect: output = net_connect.send_command('show version') — connect and collect device info; agent parses software version, serial number, model from CLI output; network inventory automation
- • Agent configuration push — net_connect.send_config_set(['interface Gi0/0', 'description Agent-Managed', 'ip address 10.1.1.1 255.255.255.0', 'no shutdown']) — push config lines to device; agent applies network configuration changes via SSH; send_config_set handles config mode entry/exit
- • Agent structured data parsing — output = net_connect.send_command('show ip interface brief', use_textfsm=True) — TextFSM parses CLI output into structured dict/list; agent processes interface status without regex; use_textfsm=True returns list of dicts with interface, ip, status fields
- • Agent bulk device management — from netmiko import ConnectHandler; devices = [{'device_type': 'cisco_ios', 'host': f'10.0.{i}.1'} for i in range(10)]; for device in devices: with ConnectHandler(**device, password=creds) as conn: conn.send_config_set(acl_config) — agent pushes ACL to 10 switches in sequence
- • Agent config backup — with ConnectHandler(**device_params) as conn: config = conn.send_command('show running-config'); Path(f'backups/{conn.host}.cfg').write_text(config) — agent saves device running config to file; network change management with pre/post backup workflow
Not For
- • NETCONF/RESTCONF — Netmiko is SSH/CLI focused; for NETCONF use ncclient; for RESTCONF use requests with device REST APIs
- • High-frequency polling — SSH connection overhead (1-5 seconds) makes Netmiko too slow for metrics polling; use SNMP or streaming telemetry (gNMI) for monitoring
- • Modern API-enabled devices — newer network devices have REST APIs; for Cisco DNA Center or Meraki use their Python SDKs; Netmiko for legacy CLI-only devices
Interface
Authentication
Password auth (username/password) or SSH key auth (use_keys=True, key_file=path). Password stored in script — use environment variables or secrets manager. SSH host key verification configurable.
Pricing
Netmiko is MIT licensed. Free for all use.
Agent Metadata
Known Gotchas
- ⚠ device_type must exactly match vendor/OS — ConnectHandler(device_type='cisco') fails; must use exact string like 'cisco_ios', 'cisco_nxos', 'cisco_xe'; netmiko.ssh_dispatcher.CLASS_MAPPER.keys() lists all valid device types; agent automation must identify device OS before connecting
- ⚠ Passwords must not be logged — ConnectHandler(password=os.environ['DEVICE_PASS']) stores password in object; Netmiko debug logging (logging.DEBUG) may log SSH negotiation including credentials; agent network automation must use INFO level logging, never DEBUG in production with real credentials
- ⚠ send_command() has default timeout of 100s — ConnectHandler default read_timeout=100 seconds; long-running show commands (show tech-support) may exceed timeout; agent code for large outputs must set read_timeout=300; NetmikoTimeoutException means output still coming, not device unresponsive
- ⚠ enable() required for privileged commands — many devices require 'enable' before configuration; net_connect.enable() enters privileged mode; send_config_set() calls enable() automatically on most platforms; explicitly call enable() if send_config_set() returns PermissionError or prompt shows '>'
- ⚠ SSH host key checking disabled by default — ConnectHandler by default accepts any SSH host key; agent code connecting to unknown devices should enable SSH key verification for security; use strict_host_key_checking=True for production agent deployments in known network environments
- ⚠ Connection not thread-safe — single Netmiko ConnectHandler cannot be shared across threads; agent code using ThreadPoolExecutor must create separate ConnectHandler per thread; connection pool available via netmiko.utilities.ConnectHandler in context manager per thread
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Netmiko.
Scores are editorial opinions as of 2026-03-06.