Using Batfish for Network Analysis
•
1 gostou•478 visualizações
Refer to RTP Programmability and Automation Meetup Group: https://www.meetup.com/Cisco-Programmability-and-Automation-Meetup-Group/events/278002529/ As engineers embrace infrastructure-as-code, building in testing and sanity checks of the proposed changes becomes critical. Batfish is an open-source tool that does network configuration analysis. Some of the project’s capabilities include analysis of system information, routing and forwarding tables, and ACLs. Batfish is written in python and is consumable in python, but also has Ansible modules available.
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Using Batfish for Network Analysis
Semelhante a Using Batfish for Network Analysis (20)
Mais de Joel W. King
Mais de Joel W. King (20)
Último
Último (20)
Using Batfish for Network Analysis
- 1. Using Batfish for Network Analysis
- 2. Bob Longmore Technical Solutions Architect Minneapolis, MN WHO AM I? bob.longmore@wwt.com https://www.linkedin.com/in/boblongmore Member of the WWT’s Global Engineering Team focused on Infrastructure Automation – background in route/switch, security, data center. @boblongmore
- 3. Overview • Perform analysis of network data to use in understanding network operations • Perform testing of network configs before applying to device • Using a CI/CD platform to perform network configuration • CML-based network
- 4. Batfish Open source analysis tool Do all the routers have the correct NTP server configured? Will the BGP sessions be established correctly? What are all the OSPF adjacencies? Is a certain network reachable? Does my ACL allow certain traffic? Will this change introduce instability?
- 5. Batfish Open source analysis tool
- 6. Batfish Open source analysis tool Steps before you use: Install batfish as a container docker pull batfish/allinone docker run -v batfish-data:/data -p 8888:8888 -p 9997:9997 -p 9996:9996 batfish/allinone Install Ansible Role ansible-galaxy install batfish.base Install pybatfish python library pip install pybatfish
- 7. Batfish Open source analysis tool Connect to Batfish Server Initialize snapshots Load questions Ask questions Connect via localhost or connect remotely bf_session.host = "localhost"
- 8. Batfish Open source analysis tool Connect to Batfish Server Initialize snapshots Load questions Ask questions Set boundaries with a network bf_set_network(network_name) A snapshot is the state of a network at a given time Configuration files are organized and batfish uses those files to create a snapshot snapshot_path = "/projects/rtp-meetup-batfish- demo/bf-test/" bf_init_snapshot(snapshot_path, name=snapshot_name, overwrite=True)
- 9. Batfish Open source analysis tool Connect to Batfish Server Initialize snapshots Load questions Ask questions Common questions intended to be vendor agnostic Load_questions()
- 10. Batfish Open source analysis tool Connect to Batfish Server Initialize snapshots Load questions Ask questions Routing protocols bfq.bgpSessionCompatibility Packet forwarding bfq.traceroute(startlocation, src, dst, protocol) Acess-lists and firewall rules bfq.findMatchingFilterLines(src, dst, protocol) VXLAN and EVPN bfq.vxlanEdges() Differentials bfq.differentialReachability(reference_sna pshot, new_snapshot)
- 12. Use Case #1 Quickly proving the innocence of the firewall Is there a rule that is preventing IP x to IP y? Which rule?
- 13. Use Case #2 Configuration as code is doable, but… • Can we do it safely? • Can we build testing into an infrastructure CI/CD pipeline?
- 14. Use Case #2 Infrastructure as code is doable, but… • Can we do it safely? • Can we build testing into an infrastructure CI/CD pipeline?
- 15. Use Case #2 Everything as code is doable, but… • Can we do it safely? • Can we build testing into an infrastructure CI/CD pipeline?
- 16. Infrastructure as Code (IaC) interface GigabitEthernet1 ip address 172.22.100.2 255.255.255.0 negotiation auto interface GigabitEthernet2 no ip address shutdown negotiation auto interface GigabitEthernet3 no ip address shutdown negotiation auto
- 17. Infrastructure as Code (IaC) interface GigabitEthernet1 ip address 172.22.100.2 255.255.255.0 negotiation auto interface GigabitEthernet2 no ip address shutdown negotiation auto interface GigabitEthernet3 no ip address shutdown negotiation auto --- - name: configure routers hosts: routers gather_facts: false tasks: - name: Configure IP address on interfaces cisco.ios.ios_l3_interfaces: config: - name: "{{ item.key }}" ipv4: - address: "{{ item.value }}" loop: "{{ interfaces | dict2items }}"
- 18. Infrastructure as Code (IaC) interface GigabitEthernet1 ip address 172.22.100.2 255.255.255.0 negotiation auto interface GigabitEthernet2 no ip address shutdown negotiation auto interface GigabitEthernet3 no ip address shutdown negotiation auto --- - name: configure routers hosts: routers gather_facts: false tasks: - name: Configure IP address on interfaces cisco.ios.ios_l3_interfaces: config: - name: "{{ item.key }}" ipv4: - address: "{{ item.value }}" loop: "{{ interfaces | dict2items }}"
- 19. Infrastructure as Code (IaC) image: python:3-slim before_script: - pip install ansible ansible-lint - ansible-lint --version - apt update - apt -y install git stages: - ansible-lint ansible-lint: stage: ansible-lint script: - ansible-lint ./roles/configure_routers
- 20. Infrastructure as Code (IaC) Ansible-Lint
- 21. Infrastructure as Code (IaC) Ansible-Lint Test BGP Test-ACLs
- 22. Infrastructure as Code (IaC) Ansible-Lint Test BGP Test-ACLs Configure Routers