Today I wanted to quickly share something that you may find useful when working with Batfish. Which is around Batfish's behaviour around the modeling of management networks.
The TL;DR here is:
By default, Batfish shuts down the management interfaces of your nodes.
If you have read this and are thinking - WTF! Just to be clear. For those of you who are new to Batfish. Batfish models your network based on your configs and is purely offline. Therefore, this behaviour is only occurring within the modeled network topology.
Good good. Ok so, if we look at a management interface within Batfish, we can see this behaviour:
>>> bfq.interfaceProperties().answer().frame().iloc[3]
Interface eos-access3[Management1]
Access_VLAN None
Active False <---
All_Prefixes ['172.29.133.7/24']
Allowed_VLANs
Auto_State_VLAN True
Bandwidth 1e+12
...
What Else Does This Mean?
- The management network is not modeled. This is because, by default, Batfish models the network-based upon L3 edges, which it populates based upon active interfaces (shown below):
>>> bfq.edges(edgeType='layer3').answer().frame()
Interface IPs Remote_Interface Remote_IPs
0 nxos-core1[Ethernet1/3] ['10.1.3.1'] nxos-core2[Ethernet1/3] ['10.1.3.2']
1 nxos-core2[Ethernet1/1] ['10.2.1.1'] nxos-aggr2[Ethernet1/4] ['10.2.1.2']
....
- The network and interfaces will not be seen within the devices routing tables, and therefore route analysis (via the below) will not be possible:
>>> bfq.routes(network="172.29.133.0/24").answer().frame()
Empty DataFrame
Columns: [Node, VRF, Network, Next_Hop_IP, Next_Hop_Interface, Protocol, Metric, Admin_Distance, Tag]
Index: []
Which Interfaces are Deactivated?
The next question was how Batfish knows which interface to deactivate. The answer to this is via interface name parsing. This can be seen within the Batfish code below:
...
private static final Pattern MANAGEMENT_INTERFACES =
Pattern.compile(
"(\\Amgmt)|(\\Amanagement)|(\\Afxp0)|(\\Aem0)|(\\Ame0)|(\\Avme)|(\\Awlan-ap)|(\\Aeth\\d+-mgmt\\d+)",
CASE_INSENSITIVE);
...
Quick thanks to Ratul Mahajan for the pointer on this.
Changing the Behaviour
To change this behaviour, we can add an extra_args to our init_session and set the ignoremanagementinterfaces option to False. Like so:
bf_session.init_snapshot(
snapshot_path,
name=snapshot,
overwrite=True,
extra_args={"ignoremanagementinterfaces": False},
)
After initializing the snapshot, we will see that the management interfaces are left as active, and the network is modeled.
>>> bfq.interfaceProperties().answer().frame().iloc[3]
Interface eos-access3[Management1]
Access_VLAN None
Active True <---
All_Prefixes ['172.29.133.7/24']
Allowed_VLANs
>>> bfq.routes(network="172.29.133.0/24").answer().frame()
Node VRF Network Next_Hop_IP Next_Hop_Interface Protocol Metric Admin_Distance Tag
0 eos-access3 default 172.29.133.0/24 AUTO/NONE(-1l) Management1 connected 0 0 None
1 ios-access2 default 172.29.133.0/24 AUTO/NONE(-1l) Management1 connected 0 0 None
2 nxos-aggr1 management 172.29.133.0/24 AUTO/NONE(-1l) mgmt0 connected 0 0 0
3 nxos-aggr2 management 172.29.133.0/24 AUTO/NONE(-1l) mgmt0 connected 0 0 0
4 nxos-core1 management 172.29.133.0/24 AUTO/NONE(-1l) mgmt0 connected 0 0 0
5 nxos-core2 management 172.29.133.0/24 AUTO/NONE(-1l) mgmt0 connected 0 0 0
6 qfx-access1 default 172.29.133.0/24 AUTO/NONE(-1l) em0.0 connected 0 0 None
Great!
Looking to learn more about Batfish? If so check out our Batfish Bootcamp in the link below:
Rick Donato
