The experimental content in this repository has been archived. Go to batfish ansible repository for current content.
This repo contains the files and instructions necessary to reproduce our Ansible demo presentation, which uses Pybatfish and Batfish to validate pre-commit network configuration changes.
Automation without pre-commit validation is risky. Use Batfish in your automated workflow for comprehensive correctness guarantees before pushing to production.
-
Run Batfish. If you don't already have it set up and running, run this to set up and start the docker container:
mkdir -p data && docker run -d -v $(pwd)/data:/data -p 9997:9997 -p 9996:9996 batfish/allinone:sha_736c753_e840243
-
Install the Pybatfish version used for the demo (to guarantee compatibility):
pip install git+git://github.com/batfish/pybatfish.git@386d0379e0b16985cee9c6cd12c0e7d8d8c8d6cc
-
Install Ansible (see installation guide for details):
pip install ansible
-
Clone this demo repo:
git clone [email protected]:batfish/ansible-demo.git
-
Edit the group vars in
playbooks/inventory
file to reflect your setup. -
Run the setup script to create the base snapshot and policies:
python python/demo-setup.py -p snapshots/snapshot0/ -a "DC Fabric Policy" checks/fabric/ -a "DC Base Policy" checks/base/
This Git integration allows Ansible to create a branch in the GitHub repository with your network configurations, and commit each change you validate to that branch.
-
Clone your network repo e.g.
git clone [email protected]:YOUR_ORG_NAME/YOUR_NETWORK_REPO.git
Note: The network repo should be formatted the same way as snapshots/snapshot0/, with config files in a
configs/
dir at the root of the repo. -
Generate a GitHub token with access to this repo, then supply the token to the
playbooks/inventory
file
This S3 integration is for posting Batfish validation logs to your S3 bucket. Logs are also stored locally whether or not S3 is used.
-
Create an S3 bucket to store your logs
-
Install required Python modules:
pip install botocore
pip install boto3
- Follow these instructions to create a Slack service that accepts incoming webhooks.
The example network from the demo is shown below. During the demo, we make two changes to the network:
- Add new leaf
leaf-03
, which is not included in the network initially - Update the ACLs on the firewalls to permit a new HTTP service
Note:
- Both scenarios can optionally be run with extra tags
s3
,slack
, and/orgit
to enable different integrations. - Logs for each playbook run are written to
s3_logs/
.
This scenario adds a new leaf router to an existing datacenter and confirms the changes made adhere to the defined network policies.
This run fails due to duplicate BGP ASNs between leaf 2 and leaf 3.
- Run the playbook
ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
- Fill in the prompts:
- Hostname:
lhr-leaf-03
- POD:
1
- BGP ASN:
65002
- Hostname:
This run passes our predefined policies.
- Run the playbook
ansible-playbook -i playbooks/inventory playbooks/master.yml --tags "always"
- Fill in the prompts:
- Hostname:
lhr-leaf-03
- POD:
1
- BGP ASN:
65003
- Hostname:
This scenario is derived from our Provably Safe ACL and Firewall Changes
Python notebook. It updates our firewalls to allow access to a new HTTP service (TCP port 80 on subnet 10.1.5.0/27) and confirms the changes:
- Are necessary (i.e. firewalls do not currently permit the new traffic)
- Allow the new traffic
- Don't allow anything other than the new traffic (i.e. confirm no collateral damage)
This run creates a bigger hole in the firewall than we intended, thus fails collateral damage check.
- Edit the file
inputs/acls.json
to reflect the desired ACL changes, adding this line just before the deny all line:"permit tcp any 10.1.5.0 0.0.0.63 eq 80",
- Run the ACL playbook:
ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
- Fill in the prompts:
- Firewall hostnames:
lhr-fw-01|lhr-fw-02
- POD:
1
- Source IPs of new traffic to allow:
0.0.0.0/0
- Destination IPs of new traffic to allow:
10.1.5.0/27
- IP protocol for new traffic to allow:
tcp
- Destination ports:
80
- Firewall hostnames:
This run passes our ACL validation checks.
- Edit the file
inputs/acls.json
to reflect the desired ACL changes, replacing the line added above with this line:"permit tcp any 10.1.5.0 0.0.0.31 eq 80",
- Run the ACL playbook:
ansible-playbook -i playbooks/inventory playbooks/master_acl.yml --tags "create"
- Fill in the prompts, same as the previous run:
- Firewall hostnames:
lhr-fw-01|lhr-fw-02
- POD:
1
- Source IPs of new traffic to allow:
0.0.0.0/0
- Destination IPs of new traffic to allow:
10.1.5.0/27
- IP protocol for new traffic to allow:
tcp
- Destination ports:
80
- Firewall hostnames:
Got questions, feedback, or feature requests? Join our community on Slack!