How Batfish Fits into Your Network Automation Plan

A change in a network can have massive unintended consequences if not properly managed.

This makes pre-change tests and validations incredibly powerful tools for network teams. Pre-change validation provides teams a way to test the impacts and results of changes before they are deployed to ensure accurate configurations and achieve the desired outcome.

One of these tools, Batfish, has become incredibly popular for engineers dealing with network configuration analysis, but recently made headlines after being acquired by AWS.

Network automation is the process of using software to automate network and security provisioning and management to continuously maximize network efficiency and functionality. It’s often used alongside network virtualization.

Network automation becomes particularly important as enterprise networks become larger and more complex. Automating and simplifying enterprise networks is a key driver of efficiency as manual, command-line entry becomes increasingly costly, cumbersome, and error-prone.

In this blog post, we’ll discuss the ways Batfish, a network configuration analysis tool, can be used for Network Security Verification and Network and Routing Verification.

What Is Batfish?

Batfish is an open source network configuration analysis tool that assesses and finds errors in current network configurations to enable safe and rapid network evolution.

The tool validates configuration data, queries network adjacencies, verifies firewall ACL rule sets, and analyzes routing and flow paths.

Batfish runs as a service, or a Dockerized container. Snapshots, or collections of information that represent networks, are uploaded to the Batfish service. These snapshots include device configurations, link and connectivity data, and server details like IP and IP table settings.

This offline-based model ensures Batfish never gains direct access to the user’s network, further bolstering network privacy and security. The tool ingests the network snapshot and builds a series of internal, vendor-agnostic models that include configuration and control plane state (such as BGP sessions).

Batfish then issues questions about your network via the Python SDK (Pybatfish) or an Ansible Batfish role.

The tool supports top security vendors including Arista, Cisco, F5, Juniper, Palo Alto, and others.

Batfish and Network to Code

The acquisition of Batfish means it is now being sponsored by AWS, and Network to Code is happy to now offer Batfish support. This will help those organizations who want commercial Batfish support.

As a network automation services and solutions provider, we at Network to Code are happy to add Batfish to our support offerings.

Network to Code has been using Batfish for years for customer projects. We specialize in helping teams implement Batfish to build automated tests that are executed before and after network and security changes to guarantee the state of the infrastructure. Pre-running tests can ensure that any change made will not result in any unintended impacts or bring down a router, firewall, or network of devices. Network to Code can also help teams using Batfish to automate ACL and security policy verifications, pre-change network automations, network and security CI/CD pipelines, and adding additional models to multi-vendor networks.

How Batfish Can Be Used for Network Security Verification

With Batfish, users can build automated tests that are executed before and after network and security changes occur to guarantee the state of network infrastructure. Users have the capability to run pre-change tests to ensure changes will not bring down routers, firewalls, or entire fleets of devices. Deploying CI/CD pipelines powered by Batfish enables organizations to adopt NetDevOps principles.

Stakeholders can model their network virtually in software as network data is changed in their Git repositories. Users can also update YAML data that triggers building a new network configuration, which is then analyzed for correctness. Batfish also runs tests that ensure network and application reachability will remain stable after changes are made.

For more information, check out our webinar on Network Security Verification with Batfish.

Using Batfish for Network and Routing Verification

Network change management is a crucial part of the network automation process, allowing teams to find configuration errors and policy discrepancies before deploying any network updates or changes. But this can be a time-consuming and manual-intensive process without the right tools. Batfish can be leveraged for automated pre-change network validation and save teams time, effort, and resources while minimizing configuration and policy errors.

One of the perks of Batfish is that it doesn’t require direct access to the network devices, but is able to look at the existing configurations, routing and forwarding tables, and topology information to create its own data model. This model serves as a representation of the network so engineers can add the desired testing queries to automated validation workflows.

Let’s take a look at two examples of how Batfish can be used:

  • Analyzing Routing Protocols with Batfish: One use case for Batfish is for protocol session checks. Batfish contains multiple native questions to validate routing protocols which can be used directly within test infrastructures.
  • Path Analysis: Batfish includes a full routing path analysis, and traceroute is a comprehensive routing check used to validate routing between the source and destination.

Conclusion

Watch our webinar on Using Batfish for Network and Routing Verification to learn more about unlocking the powers of Batfish with your network automation!

-Tim



ntc img
ntc img

Contact Us to Learn More

Share details about yourself & someone from our team will reach out to you ASAP!

Author