Esc
Type to search posts, tags, and more...
 Skip to content
21 min read

Getting started with Claude Code as a network engineer

A hands-on guide to installing, configuring, and using Claude Code for network engineering — from live YANG data fetches to BGP audits, troubleshooting runbooks, and config templating.

--ai--automation--networking
Contents

You already live in the terminal. You SSH into routers, paste config blocks, tail syslogs, and grep through show tech outputs. Claude Code meets you exactly where you work — it is an agentic coding tool that runs in your shell, understands project context, and executes tasks through natural language. No IDE required. No browser tab to switch to.

If you have never written a line of Python or used an AI tool, this guide is for you. By the end you will have Claude Code installed, configured for network automation, and you will have built a reusable skill and run both a coding and a non-coding exercise.

Everything in this tutorial has a companion repo you can clone and follow along with: xcke/blog-examples/claude-code-neteng-tutorial.

If you want to understand how LLMs, agents, skills, and MCP fit together before diving in, read The anatomy of an AI agent first. This guide focuses on the hands-on setup — that post covers the conceptual stack.

What is Claude Code and what is an agent?

A traditional CLI tool does one thing per invocation — ping, traceroute, show ip route. An agent is different. It receives a goal, breaks it into steps, uses tools to accomplish each step, observes the results, and adapts. It loops until the goal is met or it gets stuck and asks for help.

Claude Code is an agent built by Anthropic. It ships as a single binary, runs in your terminal, and can:

  • Read and write files across your entire project
  • Execute shell commands (with your permission)
  • Search codebases, explain code, and refactor
  • Handle git workflows — commits, branches, PRs
  • Connect to external tools and data sources via MCP

It reached general availability with version 1.0.0 in May 2025 and has since grown to 79,000+ stars on GitHub. It runs everywhere — terminal, VS Code, JetBrains, even GitHub Actions — but the terminal is the native experience, and that is what we will use.

Skills and MCP in 60 seconds

Two concepts you will use throughout this guide:

  • Skills are reusable instruction sets stored in your project under .claude/skills/. Each skill is a folder containing a SKILL.md file with a name, description, and step-by-step instructions. Think of them as runbooks that Claude Code can follow. You invoke them and the agent executes multi-step workflows.
  • MCP (Model Context Protocol) is an open standard for connecting AI agents to external data sources and tools. Claude Code communicates with MCP servers via JSON-RPC style tool calls. You add an MCP server once, and Claude Code gains new capabilities — reading GitHub issues, querying a CMDB, or interacting with your file system. For a hands-on example, see A network MCP.

Prerequisites

Before you start, you need:

  • A Linux system (any modern distro) or macOS
  • At least 2 GB RAM — the install process and runtime will fail on smaller VMs
  • Python 3.8+ — for the exercises and the YANG fetch script
  • Node.js 18+ — not required for Claude Code itself, but needed for MCP servers that use npx (covered later)
  • Network connectivity for authentication and API calls
  • A Claude subscription (Pro plan at $20/month minimum) or an Anthropic API key

If you are following along with the companion repo, install the Python dependencies up front:

pip install -r requirements.txt

No programming experience required — Claude Code writes the code for you.

Installation

Install Claude Code

The recommended method is the native install script. Open your terminal:

curl -fsSL https://claude.ai/install.sh | bash

This installs the claude binary directly. No Node.js dependency needed.

Alternative: install via npm

If you already have Node.js 18+ installed (via nvm is recommended to avoid permission issues):

npm install -g @anthropic-ai/claude-code

The npm method still works but is no longer the primary install path.

Verify the installation 
claude --version

You should see a version string like 1.x.x.

Authenticate

Run claude with no arguments. The first launch triggers a browser-based OAuth flow — sign in with your Claude account, authorize the CLI, and you are set.

If you prefer API key auth (pay-as-you-go billing):

export ANTHROPIC_API_KEY="sk-ant-..."

If ANTHROPIC_API_KEY is set in your environment, it overrides subscription auth. Use /status inside Claude Code to confirm which auth method is active.

Using AWS Bedrock (e.g. AWS credits)

If your organization has AWS credits or you prefer to route through your existing cloud account, Claude Code supports AWS Bedrock as a model provider. At minimum, set:

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION="us-east-1"
export AWS_PROFILE="your-profile"   # or use AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY

You can also pin specific models and tune output limits. Here is a full Bedrock configuration example:

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION="us-east-1"
export ANTHROPIC_MODEL="global.anthropic.claude-sonnet-4-6"
export ANTHROPIC_SMALL_FAST_MODEL="global.anthropic.claude-haiku-4-5-20251001-v1:0"
export CLAUDE_CODE_MAX_OUTPUT_TOKENS=16384
  • ANTHROPIC_MODEL — the primary model Claude Code uses for all tasks. Cross-region inference (global. prefix) gives you automatic regional failover.
  • ANTHROPIC_SMALL_FAST_MODEL — a smaller model used for background tasks like auto-compact summaries and file search. Haiku keeps these fast and cheap.
  • CLAUDE_CODE_MAX_OUTPUT_TOKENS — raise this from the default if you work with large config files or design documents.

This is useful for experimenting on AWS credits, staying within your organization’s billing, or meeting data residency requirements. Google Cloud Vertex AI is also supported — set CLAUDE_CODE_USE_VERTEX=1 with your GCP project details.

Configuration

Claude Code reads context from a few key files. Getting these right is the difference between an agent that guesses and one that follows your conventions.

CLAUDE.md — your project constitution

CLAUDE.md is a markdown file at the root of your repo. Claude Code reads it automatically at the start of every session. It tells the agent what your project is, how to run things, and what conventions to follow. For a deep dive on this pattern, see Building a system for AI-assisted engineering.

Bootstrap one interactively:

cd ~/network-automation
claude
# Inside the Claude Code session:
/init

The /init command generates a starter CLAUDE.md by scanning your project. Here is what a network automation project’s CLAUDE.md might look like:

# network-automation

Network automation project for Example Inc — IOS-XE devices across two sites.

## Commands
pip install -r requirements.txt          # Install Python dependencies
python .claude/skills/yang-fetch/fetch_yang_data.py --filter interfaces  # Fetch live YANG data

## Architecture
- devices.yml — device inventory (4 devices, 2 sites, role-specific params)
- templates/ — Jinja2 config templates (base-config.j2)
- configs/ — rendered configuration output directory
- .claude/skills/ — agent skills (yang-fetch, bgp-best-practices, wan-cpe-troubleshooting)
- .claude/commands/ — slash commands (fetch-interfaces, review-bgp-config, troubleshoot-wan-cpe)

## Conventions
- IOS-XE is the primary target platform
- BGP configs follow RFC 7454 best practices (see bgp-best-practices skill)
- Use devices.yml as the single source of truth for device parameters
- Generated configs go in configs/ — never edit them by hand

Version-control this file. It is a living document — update it as your project evolves.

Permissions

Claude Code uses a hierarchical permission system across three settings files:

FileScopeUse case
~/.claude/settings.jsonGlobalUser-wide defaults
.claude/settings.jsonProjectShared team settings (commit this)
.claude/settings.local.jsonProjectLocal overrides (gitignore this)

Each file supports allow, ask, and deny arrays for tool permissions. Start restrictive and open up as needed:

{
  "permissions": {
    "allow": [
      "Read",
      "Glob",
      "Grep"
    ],
    "ask": [
      "Bash",
      "Edit",
      "Write"
    ],
    "deny": []
  }
}

For network automation, keep Bash in the ask category. You want to review every shell command before it runs — especially anything that could touch live devices.

Settings worth tuning

Beyond permissions, a few settings make a real difference in day-to-day use:

  • Model selection. Claude Code defaults to its most capable model, but you can switch with /model. For quick config reviews or documentation tasks, a smaller model saves time and cost. For complex multi-file generation or architectural work, stick with the default.
  • Auto-compact. Long sessions accumulate context. Claude Code auto-compacts when the context window fills, but you can trigger it manually with /compact followed by a summary of what matters — for example, /compact focus on the BGP migration we are building. This keeps the agent sharp on your current task.
  • Plan mode. Toggle with Shift+Tab before submitting a prompt. The agent outlines its approach and waits for approval before making changes. Use this for anything that touches production config or writes to multiple files — you want to review the plan before the agent starts editing.
  • Terminal integration. If you use VS Code or JetBrains, the Claude Code extension embeds directly into the IDE terminal. Same agent, same skills, but with inline diffs and file navigation. Install it from the extension marketplace.

Building skills: from sandbox data to troubleshooting runbooks

Skills are the most powerful customization in Claude Code. Each one lives in .claude/skills/<name>/SKILL.md and gives the agent a reusable playbook to follow. We will build three skills that demonstrate different patterns: a tool skill that runs a script, a knowledge skill that encodes best practices, and a runbook skill for operational troubleshooting.

But the value of skills goes beyond what the agent can do with them. Writing a skill forces you to codify knowledge — the BGP hardening checklist that lives in your senior engineer’s head, the troubleshooting workflow your NOC team follows but never documented, the config patterns that are “obvious” to the three people who built the network. Once that knowledge is in a SKILL.md, it is version-controlled, reviewable, and improvable. New team members learn from it. The agent enforces it consistently. And every time someone refines a step or adds a failure scenario, the entire team benefits. Skills turn tribal knowledge into compound interest.

Skill 1: YANG fetch — pulling live data from a sandbox

This skill teaches Claude Code to fetch live NETCONF data from a real Cisco router. It pairs a SKILL.md with a Python script that handles the NETCONF connection, so the agent can invoke it without writing boilerplate every time.

The script connects to a Cisco DevNet sandbox IOS-XE router via NETCONF. You can launch a free Catalyst 8000V sandbox at developer.cisco.com/site/sandbox — the credentials are provided when your reservation starts. For a deep dive on YANG and NETCONF, see YANG: the network data model you should know.

Create the skill directory and script 
mkdir -p .claude/skills/yang-fetch

The SKILL.md tells Claude Code what the script does and how to run it:

---
name: "yang-fetch"
description: "Fetch live YANG/NETCONF data from a Cisco IOS-XE device via the DevNet sandbox."
---

## Instructions

Verify the sandbox environment variables are set:

export NETCONF_HOST="your-sandbox-host.cisco.com"
export NETCONF_USER="your-username"
export NETCONF_PASS="your-password"

Run the helper script with the requested filter:

python .claude/skills/yang-fetch/fetch_yang_data.py --filter <filter>

Supported filters: interfaces (default), version, all
Write the Python script

The script (fetch_yang_data.py) uses the same ncclient + xmltodict pattern from the YANG deep-dive post. It reads connection details from environment variables:

from ncclient import manager
import xmltodict, os

params = {
    "host": os.environ["NETCONF_HOST"],
    "port": int(os.environ.get("NETCONF_PORT", "830")),
    "username": os.environ["NETCONF_USER"],
    "password": os.environ["NETCONF_PASS"],
    "hostkey_verify": False,
    "timeout": 30,
}

INTF_FILTER = ("subtree", """
  <interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces"/>
""")

m = manager.connect(**params)
result = m.get(filter=INTF_FILTER)
parsed = xmltodict.parse(result.xml)
# ... format and display interface table

The full script handles --filter interfaces|version|all, error handling for sandbox downtime, and formatted table output. It is in the companion repo at .claude/skills/yang-fetch/fetch_yang_data.py.

Use the skill 
claude

> Fetch the current interfaces from the DevNet sandbox

Claude Code finds the yang-fetch skill, runs the script, and presents the output:

Name                        IP Address        Status
────────────────────────────────────────────────────────
GigabitEthernet1            10.10.20.148      up
GigabitEthernet2            —                 down
GigabitEthernet3            —                 down

Skill 2: BGP best practices — encoding knowledge with RFC citations

Not every skill runs a script. A knowledge skill encodes domain expertise directly in SKILL.md. When Claude Code reviews or generates BGP configuration, it checks compliance against each category automatically.

The BGP best practices skill covers 11 categories, each with a specific RFC citation:

---
name: "bgp-best-practices"
description: "Review or generate BGP configurations against industry best practices."
---

## Best practice categories

### 1. Peer groups and templates
Use neighbor peer-group or template peer-policy to reduce duplication.

### 2. Route filtering with prefix-lists
Apply inbound and outbound prefix-lists on every eBGP session. Block
RFC 1918, default route, and bogon prefixes inbound.
Reference: RFC 7454 §6

### 3. Maximum prefix limits with restart
Configure maximum-prefix with 80% warning threshold and automatic restart.
Reference: RFC 7454 §6.3
All 11 BGP best practice categories
  1. Peer groups and templates — Cisco IOS XE BGP Config Guide
  2. Route filtering with prefix-lists — RFC 7454 §6
  3. Maximum prefix limits with restart — RFC 7454 §6.3
  4. BFD — RFC 5880, RFC 5881
  5. Authentication (MD5 / TCP-AO) — RFC 5925, RFC 7454 §5
  6. Graceful restart — RFC 4724
  7. Route dampening — RIPE-580 (generally discouraged)
  8. Loggingbgp log-neighbor-changes
  9. TTL security / GTSM — RFC 5082
  10. Communities — RFC 1997, RFC 8092
  11. Default route origination — always behind a route-map

When you paste a BGP config into a Claude Code session, the agent checks each category and reports compliant / non-compliant / not applicable.

Skill 3: WAN CPE troubleshooting — an operational runbook

The third pattern is a runbook skill — a step-by-step troubleshooting procedure for a specific environment. This one models a fictional “Example Inc” NOC workflow for ISR 4331 CPE devices running IOS-XE 17.9 with hub-and-spoke DMVPN and dual ISP uplinks.

The skill defines a 10-step troubleshooting workflow:

  1. Gather ticket context
  2. Verify reachability
  3. Check interfaces
Full 10-step troubleshooting workflow
  1. Check routing and BGPshow ip bgp summary, verify session state and prefix counts
  2. Check DMVPN and IPSecshow dmvpn, show crypto ipsec sa, verify tunnel state
  3. Check ISP circuitshow ip sla statistics, compare throughput against capacity
  4. Check failover stateshow track, determine primary vs backup path
  5. Check performanceshow processes cpu sorted, check for control plane issues
  6. Document and escalate — summarize findings, open TAC/carrier tickets as needed
  7. Verify resolution — confirm BGP established, DMVPN up, SLA passing, monitor 15 min

The skill also includes an appendix of common failure scenarios: BGP stuck Active, DMVPN flapping, and asymmetric routing after failover.

When you tell Claude Code to troubleshoot a site, it walks through each step, shows the relevant commands, and asks clarifying questions about what you observe — like pair-programming with your senior NOC engineer.

You do not have to write every skill from scratch. The community has built thousands of reusable skills you can install with a single command. Browse skills.sh for a searchable directory, or explore the awesome-claude-code list for curated skills, hooks, and slash commands.

Adding an MCP server

MCP servers extend Claude Code’s reach. A good first one to install is Context7 — it gives Claude Code access to up-to-date documentation for any library or tool. When you ask Claude Code to generate a script that uses a specific library, or build a config that targets a particular API version, Context7 pulls the current docs so the agent is not relying on stale training data.

npx ctx7 setup --claude

This handles OAuth authentication, generates an API key, and installs the Context7 skill. On headless or remote servers without browser access, pass an API key directly:

npx ctx7 setup --claude --api-key YOUR_API_KEY

You can create API keys at the Context7 dashboard.

MCP servers come in two flavors: local (stdio transport — a process that starts and stops with your Claude Code session) and remote (SSE or streamable HTTP — a hosted service you authenticate against). Many popular servers like Context7 offer a remote option, which is simpler to set up and does not require Node.js locally. The prerequisite for Node.js/npx only applies if you run local MCP servers that ship as npm packages.

Exercise: build a config templating script

This exercise uses Claude Code to build a real config generation pipeline. The companion repo includes devices.yml (4 devices, 2 sites) and templates/base-config.j2 (a Jinja2 starter template). You will ask Claude Code to create a Python script that ties them together — rendering role-specific configs for each device.

Start a session and give this prompt:

claude

> Create a Python script called generate_configs.py that:
  - Reads devices.yml and templates/base-config.j2
  - Renders a base config for every device using the Jinja2 template
  - For wan-edge devices, adds a BGP section using the device's bgp params
    (router bgp, neighbor statements, network advertisements)
  - For access-switch devices, adds VLAN definitions from the device's vlans list
  - Saves each rendered config to configs/{hostname}.cfg
  - Prints a summary of what was generated

Claude Code will:

  1. Read devices.yml and templates/base-config.j2 to understand the data model
  2. Write generate_configs.py using pyyaml and jinja2
  3. Generate role-specific config sections — BGP for WAN edges, VLANs for access switches
  4. Run the script and show you the output

Here is what the generated output looks like:

$ python3 generate_configs.py
Generated: configs/dal-wan-01.cfg  (wan-edge, BGP AS 65001)
Generated: configs/dal-acc-01.cfg  (access-switch, 3 VLANs)
Generated: configs/nyc-wan-01.cfg  (wan-edge, BGP AS 65002)
Generated: configs/nyc-acc-01.cfg  (access-switch, 3 VLANs)

A WAN edge config includes the BGP section pulled from devices.yml:

router bgp 65001
 bgp router-id 10.255.1.1
 bgp log-neighbor-changes
 neighbor 203.0.113.1 remote-as 64999
 !
 address-family ipv4 unicast
  network 10.10.0.0 mask 255.255.0.0
  network 10.255.1.1 mask 255.255.255.255
  neighbor 203.0.113.1 activate
 exit-address-family

An access switch config includes VLANs:

vlan 10
 name ENGINEERING
vlan 20
 name SALES
vlan 30
 name GUEST

You did not write a single line of Python. You described what you wanted, the agent read the existing data model and template, and built a script that produces deployable config files. If the output is not right, you tell it what to change in plain English and it iterates.

Exercise 2: draft a high-level network design (non-coding)

Claude Code is not limited to generating code. You can use it for design work, documentation, and architectural review.

Start a session:

claude

> Draft a high-level network design for a new branch office with these requirements:
  - 200 users across 4 departments (Engineering, Sales, HR, Guest)
  - Dual ISP uplinks (1 Gbps primary, 500 Mbps backup) with automatic failover
  - On-prem data closet with 2x access switches and 1x router/firewall
  - SD-WAN overlay back to headquarters in Dallas
  - Wireless coverage for all departments plus a guest SSID
  - VLAN segmentation per department
  - Compliance: PCI-DSS for the Sales VLAN (credit card processing)
  - Budget-conscious: suggest specific Meraki or Catalyst models
  - Save the design as docs/branch-hld.md

Claude Code produces a structured design document covering:

  • Topology overview with a diagram description
  • VLAN plan — VLAN IDs, subnets, DHCP scopes, and department mappings
  • Hardware BOM — specific switch and AP models with port counts
  • WAN architecture — dual ISP failover design with SD-WAN overlay details
  • Security posture — inter-VLAN ACLs, PCI-DSS isolation for Sales, guest network controls
  • Wireless design — SSID-to-VLAN mappings, AP placement guidance
  • IP addressing scheme — summarized allocation table
  • Open questions — items that need stakeholder input before finalizing

This is not a polished RFP-ready document out of the box, but it is a solid first draft that would take you an hour or more to write from scratch. You iterate from here — ask Claude Code to expand the PCI-DSS section, add a specific vendor config, or revise the VLAN numbering scheme.

Use plan mode for design exercises. Inside a Claude Code session, use Shift+Tab to toggle into plan mode before submitting your prompt. The agent outlines its approach first and waits for your approval before making changes. This is critical when you want to review architecture decisions before they hit disk.

Slash commands for quick tasks

Beyond skills, you can create slash commands — lightweight prompt templates for tasks you run often. Place a markdown file in .claude/commands/ and it becomes available as /project:command-name. The $ARGUMENTS placeholder gets replaced with whatever you type after the command name.

The companion repo includes three commands:

/project:fetch-interfaces [filter]

Runs the YANG fetch script with the specified filter:

/project:fetch-interfaces version

Claude Code executes fetch_yang_data.py --filter version and displays the IOS-XE version from the sandbox (requires NETCONF_HOST, NETCONF_USER, and NETCONF_PASS env vars to be set).

/project:review-bgp-config <config>

Reviews a pasted BGP config against the best practices skill:

/project:review-bgp-config
router bgp 65001
 neighbor 203.0.113.1 remote-as 64999
 network 10.0.0.0 mask 255.0.0.0

Claude Code checks each of the 11 best practice categories and reports compliance.

/project:troubleshoot-wan-cpe <site>

Starts a guided troubleshooting session for a site:

/project:troubleshoot-wan-cpe dallas

Claude Code looks up the Dallas WAN edge in devices.yml and walks through the 10-step runbook, asking for observed symptoms at each step.

Each command is a single markdown file in .claude/commands/. Creating your own is as simple as writing a prompt template with $ARGUMENTS where the user input goes.

Things to watch out for

A few gotchas to keep in mind as you get started:

  • Do not skip CLAUDE.md. Without project context, the agent guesses at your conventions and gets things wrong. Spend five minutes on /init at the start of any project.
  • Keep Bash in ask mode. Every command the agent wants to run should get your approval, especially in repos that touch network devices. Human-in-the-loop is non-negotiable for infrastructure.
  • Validate generated configs. Claude Code can produce syntactically correct IOS but still get your specific environment wrong — wrong NTP server, wrong ASN, wrong VLAN ID. Always dry-run. Always peer-review.
  • Auth confusion. If you set ANTHROPIC_API_KEY in your shell profile and also have a subscription, the API key wins. Use /status to check.
  • MCP servers are pre-1.0. The ecosystem is evolving quickly. Test any MCP server in a lab before relying on it for production workflows.

Where to go next

Community skills and MCP servers

MCP server docs

#
Tutorial companion repo

Clone the repo with all examples from this guide — three skills (YANG fetch, BGP audit, WAN troubleshooting), three slash commands, device inventory, Jinja2 templates, and sample configs.

The real takeaway: Claude Code is not a replacement for knowing networking. It is a force multiplier. You bring the domain expertise — which interfaces to configure, which routing protocol fits, where the security boundaries should be. The agent handles the boilerplate, catches the typos, and does the repetitive file manipulation. You stay in the terminal where you have always been, but you move faster.

! Was this useful?