What is Batfish?
Batfish is an open-source multi-vendor network analysis tool that allows you to validate configuration data, query control plane state, verify ACL rule sets, analyze routing/flow paths, as well as simulate network failure.
In other words (https://www.batfish.org/),
Batfish finds errors and guarantees the correctness of planned or current network configurations. It enables safe and rapid network evolution, without the fear of outages or security breaches.[^1]
Batfish runs as a containerized service, and runs offline, i.e. no direct access to network devices is required. Batfish learns about the network via snapshots. A snapshot is a collection of information about your network (such as device configurations and server details such as IP and IPtable information).
Once the snapshot has been uploaded to the Batfish service, a series of internal models are built. The first thing to note is that these models are vendor agnostic. Secondly, these models hold both network configuration and the network control plane (such as OSPF adjacencies, BGP sessions etc).
These models are then queried via questions using either the Python library
pybatfish or the Batfish Ansible role.
Batfish offers a range of features as a result of its use of network modelling and simulation. In turn, these features allow you to perform network verification and analysis that would either be extremely difficult, impossible or extremely time-consuming using traditional methods e.g. sending actual packets across the network.
Let's look at some use cases that Batfish can be applied to and then the features that Batfish provides that makes them possible.
Below is a small snapshot of some of the use cases that Batfish can solve:
- Impact Analysis - Simulate how your network will handle and respond to failure. For example, the failure of an interface or node.
- Configuration Auditing - Ensure your network devices are configured correctly against your configuration standards.
- ACL Testing - Easily validate that ACLs are correctly permitting or denying the expected flows.
- Multi-vendor abstraction - Batfish's use of vendor agnostic models allows you to query information about the network across different vendor types and retrieve the information back in a common data structure.
- Multi-vendor support - Batfish provides support for the following vendors:
- Amazon Web Services (AWS)
- F5 BIG-IP
- Free-Range Routing (FRR)
- iptables (on hosts)
- Juniper (All JunOS platforms)
- Palo Alto Networks
- Packet forwarding analysis - Batfish allows you to perform virtual traceroutes and reachability tests across your network topology. Because this uses network simulation, the constraints of traditional methods are removed. Therefore, you can simulate traffic being sent from multiple points all at once, simulate the behavior across all ports and protocols; all of which is just the tip of the iceberg, as we will see later.
- Configuration analysis - Batfish provides an extensive range of configuration attributes that you can query. Such as BGP, OSPF, interfaces properties etc.
- Control plane analysis - Batfish recreates the control plane. This allows you to verify control plane sessions and adjacencies (such as BGP and OSPF), along with providing fully populated device RIBs.
- ACL analysis - Batfish allows you to validate the outcome of sending certain traffic flows through an ACL or sets of multiple ingress/egress filters.
- Simulated - Batfish's use of simulation brings a number of benefits vs the use of using virtual machines for creating the test network. Such as:
- VM boot times can be slow - Because VMs are negated, so are the slow boot times. Therefore, boot times are massively reduced along with the amount of time it takes to build the testing environment.
- Supported features - Due to the virtualized nature of VMs, it is not uncommon for many features to not be available in the VE (virtual edition), compared to its physical counterpart. By removing the need for virtual machines, you remove situations where features are not available.
- Resources - CPU and memory resources for Batfish are far less to that of the same environment using virtual machines.
- Topology forking - Batfish allows you to take your network topology, disable a node, or link and then compare the state of the network. This, in turn, allows you to perform a simulated impact analysis of your network.