Getting started with Claude Code as a network engineer

You already live in the terminal. You SSH into routers, paste config blocks, tail syslogs, and grep through show tech outputs. Claude Code meets you there — it runs in your shell, reads your project files, executes commands (with your permission), and handles multi-step tasks through natural language. No IDE required.

Everything in this guide has a companion repo you can clone and follow along with: xcke/blog-examples/claude-code-neteng-tutorial.

Prerequisites

Linux or macOS
Python 3.8+
A Claude subscription (Pro at $20/month) or an Anthropic API key

Install

Install Claude Code

curl -fsSL https://claude.ai/install.sh | bash

Verify

claude --version

Authenticate

Run claude with no arguments. The first launch triggers a browser-based OAuth flow — sign in, authorize, done.

For API key auth:

export ANTHROPIC_API_KEY="sk-ant-..."

⚠

If ANTHROPIC_API_KEY is set in your environment, it overrides subscription auth. Use /status inside Claude Code to confirm which method is active.

Using AWS Bedrock

If your organization routes through AWS, Claude Code supports Bedrock as a provider:

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION="us-east-1"
export AWS_PROFILE="your-profile"
export ANTHROPIC_MODEL="global.anthropic.claude-sonnet-4-6"
export ANTHROPIC_SMALL_FAST_MODEL="global.anthropic.claude-haiku-4-5-20251001-v1:0"

The global. prefix enables cross-region inference for automatic failover. Google Cloud Vertex AI is also supported — set CLAUDE_CODE_USE_VERTEX=1 with your GCP project details.

Configuration

Claude Code reads settings from three files, applied in order:

File	Scope	Use case
`~/.claude/settings.json`	Global	User-wide defaults
`.claude/settings.json`	Project	Shared team settings (commit this)
`.claude/settings.local.json`	Project	Local overrides (gitignore this)

Each supports allow, ask, and deny arrays for tool permissions:

{
  "permissions": {
    "allow": ["Read", "Glob", "Grep"],
    "ask": ["Bash", "Edit", "Write"],
    "deny": []
  }
}

For network automation, keep Bash in ask. You want to review every shell command before it runs — especially anything that could touch live devices.

Settings worth knowing

Model selection. Switch with /model. Smaller models are faster for config reviews. The default is best for multi-file generation.
Auto-compact. Long sessions fill the context window. Claude Code compacts automatically, but you can trigger it with /compact focus on the BGP migration. This keeps the agent sharp on your current task.
Plan mode. Toggle with Shift+Tab before submitting. The agent outlines its approach and waits for approval before making changes. Use this for anything that touches production config.

Claude Code also supports Teams and Enterprise plans for organizations — centralized billing, usage dashboards, and admin controls for managing permissions across your team.

CLAUDE.md

CLAUDE.md is a markdown file at your project root. Claude Code reads it at the start of every session. It tells the agent what your project is, how to run things, and what conventions to follow.

Bootstrap one interactively:

cd ~/network-automation
claude
# Inside the session:
/init

Here’s what a network automation project’s CLAUDE.md might look like:

# network-automation

Network automation project — IOS-XE devices across two sites.

## Commands
pip install -r requirements.txt
python .claude/skills/yang-fetch/fetch_yang_data.py --filter interfaces

## Architecture
- devices.yml — device inventory (4 devices, 2 sites)
- templates/ — Jinja2 config templates
- configs/ — rendered output directory
- .claude/skills/ — agent skills (yang-fetch, bgp-best-practices)

## Conventions
- IOS-XE is the primary target platform
- BGP configs follow RFC 7454 best practices
- Use devices.yml as the single source of truth
- Generated configs go in configs/ — never edit them by hand

Version-control this file. Without it, the agent guesses at your conventions and gets things wrong.

Building a skill: BGP best practices

A skill is a folder with a SKILL.md that encodes domain knowledge. Not every skill runs a script — the most interesting pattern is a knowledge skill that teaches the agent your standards.

This BGP skill covers 11 categories, each with an RFC citation. When the agent reviews or generates BGP config, it checks compliance against each one:

---
name: "bgp-best-practices"
description: "Review or generate BGP configs against industry best practices."
---

## Best practice categories

### 1. Peer groups and templates
Use neighbor peer-group or template peer-policy to reduce duplication.

### 2. Route filtering with prefix-lists
Apply inbound and outbound prefix-lists on every eBGP session.
Block RFC 1918, default route, and bogon prefixes inbound.
Reference: RFC 7454 S6

### 3. Maximum prefix limits with restart
Configure maximum-prefix with 80% warning threshold and automatic restart.
Reference: RFC 7454 S6.3

All 11 categories

Peer groups and templates — Cisco IOS XE BGP Config Guide
Route filtering with prefix-lists — RFC 7454 S6
Maximum prefix limits with restart — RFC 7454 S6.3
BFD — RFC 5880, RFC 5881
Authentication (MD5 / TCP-AO) — RFC 5925, RFC 7454 S5
Graceful restart — RFC 4724
Route dampening — RIPE-580 (generally discouraged)
Logging — bgp log-neighbor-changes
TTL security / GTSM — RFC 5082
Communities — RFC 1997, RFC 8092
Default route origination — always behind a route-map

Paste a BGP config into a Claude Code session and the agent checks each category — compliant, non-compliant, or not applicable. The knowledge lives in the repo, version-controlled and reviewable. New team members learn from it. The agent enforces it consistently.

For the conceptual model behind skills, commands, and MCPs, see LLM as CPU, agent as OS.

Exercise: config templating

The companion repo includes devices.yml (4 devices, 2 sites) and templates/base-config.j2. Start a session and give this prompt:

claude

> Create a Python script called generate_configs.py that:
  - Reads devices.yml and templates/base-config.j2
  - Renders a base config for every device using the Jinja2 template
  - For wan-edge devices, adds a BGP section using the device's bgp params
  - For access-switch devices, adds VLAN definitions from the device's vlans list
  - Saves each rendered config to configs/{hostname}.cfg
  - Prints a summary of what was generated

Claude Code reads the existing files, writes the script, and runs it:

$ python3 generate_configs.py
Generated: configs/dal-wan-01.cfg  (wan-edge, BGP AS 65001)
Generated: configs/dal-acc-01.cfg  (access-switch, 3 VLANs)
Generated: configs/nyc-wan-01.cfg  (wan-edge, BGP AS 65002)
Generated: configs/nyc-acc-01.cfg  (access-switch, 3 VLANs)

You described what you wanted. The agent read the data model, wrote the code, and produced deployable config files. If the output isn’t right, tell it what to change and it iterates.

Watch out

Keep Bash in ask mode. Every command the agent wants to run gets your approval. Human-in-the-loop is non-negotiable for infrastructure.
Validate generated configs. The agent can produce syntactically correct IOS but get your specific environment wrong — wrong ASN, wrong VLAN ID, wrong NTP server. Always review.
Start with CLAUDE.md. Five minutes on /init saves hours of the agent guessing at your conventions.

Clone the companion repo and try it yourself.