Getty Images/iStockphoto

Batfish use cases for network validation and testing

Automated pre-change network validation with Batfish can save time in the network change management process and minimize configuration and policy errors when deploying changes.

When deploying network changes, network teams want to find and fix configuration errors before pushing the changes to their network environments. That's why network change management and pre-change validations exist.

Pre-change validation provides a way to test changes before network teams deploy them, better ensuring accurate configurations and preventing consequential errors or outages. But this process within network change management can be complicated and repetitive, especially when done without network automation.

Challenges with network change management

Network change management is an essential step when making changes, such as adding new routes, closing traffic flows or changing access control lists (ACLs). The standard network change management process includes steps to determine risk analysis, conduct peer reviews, run pre-change testing, initiate deployment, run post-change testing and update network documentation.

These steps help ensure changes don't negatively affect the network environment. But the traditional methodology can be cumbersome and time-consuming, said Jeff Kala, senior architect at Network to Code, during a recent webinar about pre-change testing in network automation pipelines.

5 steps in network change management
Batfish queries work within the pre-deployment testing phase of network change management to find configuration errors and policy discrepancies before deployment.

During network change management, Kala said teams often deal with the following challenges:

  • complex environments that inhibit quick changes;
  • long approval stages when working with multiple groups;
  • restricted change windows for scheduling changes;
  • audit restrictions; and
  • complicated methods of procedure.

In some cases, network pros might find they go through the network change management process multiple times to push one change, he added.

Pre-change validation is a vital part of change management, as it tests whether a proposed change will cause an error, outage or other incident. By automating pre-change validation, network teams can implement specific configuration tests that match their business and network requirements and run in automation workflows.

Doing pre-change validation can save time and avoid you having to go through a change management process multiple times to implement a single change.
Jeff KalaSenior architect, Network to Code

"Doing pre-change validation can save time and avoid you having to go through a change management process multiple times to implement a single change," Kala said.

What is Batfish?

One tool growing in popularity for pre-change testing is Batfish. Batfish, maintained by Intentionet, is an open source tool used for network configuration analysis. Network engineers can use it to discover policy discrepancies and configuration errors before pushing changes. Batfish queries, or tests, integrate into automated continuous integration/continuous delivery pipelines.

A powerful aspect of Batfish is it doesn't require direct access to network devices, Kala said. Instead, Batfish looks at existing configurations, routing and forwarding tables, and topology information to create a vendor-independent data model. This model provides a representation of the network with which network engineers can add testing queries to their automated validation workflows.

Kala provided the following example pipeline to test a network change:

  1. Create a feature or change branch using Git.
  2. Go into a codebase, such as Jinja or YAML, to make changes.
  3. Create the configuration, using an Ansible playbook, for example.
  4. Test the configuration, and validate models and schema using Batfish.
  5. Conduct a peer review, create the pull request from the feature branch into the production branch and deploy changes.

Batfish use cases

The Batfish tool is available as a Docker container, and network engineers can use a Python SDK, pybatfish, to query with Batfish. Batfish comes with established testing queries, such as listing node properties, verifying Border Gateway Protocol and Open Shortest Path First sessions, detecting forwarding loops and listing IPsec tunnels. But engineers can also write custom queries to check criteria specific to their organizational requirements, Kala said.

The following are other Batfish use cases:

  • check virtual LAN properties;
  • analyze routing protocols and policies;
  • review configuration compliance;
  • query about traffic types;
  • review firewall and ACL rules;
  • check for unauthenticated access to devices or subnets; and
  • conduct post-change validation and testing.

Next Steps

NetOps automation ideas and examples

This was last published in September 2022

Dig Deeper on Network management and monitoring

SearchUnifiedCommunications
SearchMobileComputing
SearchDataCenter
SearchITChannel
Close