Batfish use cases for network validation and testing

Challenges with network change management

Network change management is an essential step when making changes, such as adding new routes, closing traffic flows or changing access control lists (ACLs). The standard network change management process includes steps to determine risk analysis, conduct peer reviews, run pre-change testing, initiate deployment, run post-change testing and update network documentation.

These steps help ensure changes don't negatively affect the network environment. But the traditional methodology can be cumbersome and time-consuming, said Jeff Kala, senior architect at Network to Code, during a recent webinar about pre-change testing in network automation pipelines.

During network change management, Kala said teams often deal with the following challenges:

• complex environments that inhibit quick changes;
• long approval stages when working with multiple groups;
• restricted change windows for scheduling changes;
• audit restrictions; and
• complicated methods of procedure.

In some cases, network pros might find they go through the network change management process multiple times to push one change, he added.

Pre-change validation is a vital part of change management, as it tests whether a proposed change will cause an error, outage or other incident. By automating pre-change validation, network teams can implement specific configuration tests that match their business and network requirements and run in automation workflows.

Doing pre-change validation can save time and avoid you having to go through a change management process multiple times to implement a single change.

"Doing pre-change validation can save time and avoid you having to go through a change management process multiple times to implement a single change," Kala said.

What is Batfish?

Batfish, maintained by Intentionet, is an open source tool used for network configuration analysis. Network engineers can use it to discover policy discrepancies and configuration errors before pushing changes. Batfish queries, or tests, integrate into automated continuous integration/continuous delivery pipelines.

A powerful aspect of Batfish is it doesn't require direct access to network devices, Kala said. Instead, Batfish looks at existing configurations, routing and forwarding tables, and topology information to create a vendor-independent data model. This model provides a representation of the network with which network engineers can add testing queries to their automated validation workflows.

Kala provided the following example pipeline to test a network change:

1. Create a feature or change branch using Git.
2. Go into a codebase, such as Jinja or YAML, to make changes.
3. Create the configuration, using an Ansible playbook, for example.
4. Test the configuration, and validate models and schema using Batfish.
5. Conduct a peer review, create the pull request from the feature branch into the production branch and deploy changes.

Batfish use cases

The Batfish tool is available as a Docker container, and network engineers can use a Python SDK, pybatfish, to query with Batfish. Batfish comes with established testing queries, such as listing node properties, verifying Border Gateway Protocol and Open Shortest Path First sessions, detecting forwarding loops and listing IPsec tunnels. But engineers can also write custom queries to check criteria specific to their organizational requirements, Kala said.

The following are other Batfish use cases:

• check virtual LAN properties;
• analyze routing protocols and policies;
• review configuration compliance;
• query about traffic types;
• review firewall and ACL rules;
• check for unauthenticated access to devices or subnets; and
• conduct post-change validation and testing.