Skip to content

Batfish 2022-03-16
Compare
Choose a tag to compare
@dhalperi dhalperi released this 16 Mar 19:17
v2022.03.16
d2bda2b
This commit was created on GitHub.com and signed with GitHub鈥檚 verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release notes 馃崁

This release brings major new features including initial support for:

  • two new platforms: A10 Load Balancers and for SONiC software routers
  • transitive routing over EVPN (Type 5 route exchange and accompanying forwarding)
  • interface, route, and reachability tracking as applied to HSRP/VRRP priority and static route activation
  • plus new questions, improvements to existing questions, more secure versions of some dependencies with known issues, and hundreds more changes that improve Batfish functionality and performance.

We'd also like to welcome two new code contributors to Batfish since the last release:

  • Welcome @jeffkala, who is beginning EVPN/VXLAN support for JunOS! (#8112)
  • Welcome Donatas Abraitis (@ton31337), who has contributed both fixes and new features for FRR!

New features and noteworthy improvements

Batfish now has initial support for A10 load balancers! We've implemented a variety of features including BGP routing, access-lists, virtual servers, NAT, and VRRP-A. A10 VRRP configuration can be retrieved via bf.q.vrrpProperties and you can inspect A10 virtual service configuration via bf.q.a10VirtualServerConfiguration. Please try it out and let us know how it goes, here or on Slack!

Batfish now has initial support for SONiC devices, mostly mirroring the existing support for Cumulus/FRR routers but via the SONiC config_db.json and frr.conf files. To try it out, see the packaging instructions for SONiC configurations here. Please try it out and let us know how it goes, here or on Slack!

We have added support for full routing and forwarding over EVPN/VXLAN including layer-3 tunnel establishment, Type-5 route exchange, and routing and forwarding via these tunnels. (Prior versions of Batfish could only establish layer-2 broadcast domain adjacency and exchange limited EVPN routes). In this release, Batfish supports these features for Cisco NX-OS, but support for JunOS is being contributed by @jeffkala via Network To Code and Juniper Networks.

Batfish now supports interface, route, and reachability tracks, so that VRRP/HSRP priorities and static routes activation, can be adjusted dynamically. These features are modeled for several Cisco platforms: IOS, IOS-XR, and NX-OS, and are used internally for A10 VRRP-A.

Improvements to Batfish questions include:

  • bf.q.interfaceProperties will now explain why an interface is down. (#7939). See the 'Inactive_Reason' column, which may indicate things like an autostate VLAN with no active ports, a port-channel with no active members, and other reasons.
  • bf.q.routes, bf.q.bgpRib, bf.q.evpnRib all have a new NextHop column (#7838), which explains in an unambiguous way the next hop of the route. The legacy Next_Hop_Ip and Next_Hop_Interface were confusing for discard routes, next-VRF routes, and VXLAN tunnels.
  • bf.q.routes added the prefixMatchType parameter to enable users to search not just for an exact match to the input network, but also longer or shorter prefixes (#7714). See the linked documentation for more information.
  • bf.q.ipOwners now supports filtering of results via the new ips parameter. (#7888)
  • bf.q.bgpRib now reports the received from IP (#7781).
  • bf.q.vrrpProperties now supports filtering by address via the virtualAddresses parameter. (#7889)
  • Added bf.q.hsrpProperties, a new question to analyze HSRP configuration (#7967).
  • Added bf.q.userProvidedLayer1Topology, a new question that returns a normalized version of user provided Layer 1 topology. Use it to validate whether layer1_topology.json is correctly formed.

Pre-change validation:

We continue to support pre-change validation via appended configuration changes. If there are changes you'd like to validate but the incremental commands are not recognized in Batfish, please let us know by filing an issue or joining Batfish Slack!

  • Cisco IOS-XR: support appended changes to ipv4 access-lists (#7798)
  • Cisco NX-OS: support appended changes to interfaces, routes, and bgp (various).

Other noteworthy enhancements include:

  • General: The data plane and reachability engines have been updated for improved memory usage and scalability.
  • General: ensure 32-bit ASNs are allowed in all configuration contexts (#8011, thanks @BouchardClaude!)
  • JunOS: rewritten Lexer that speeds up reading files by up to 20x
  • JunOS: improved ACL modeling including more "from" clauses (address, icmp-type-except, icmp-code-except, etc)
  • Arista EOS: Fix OSPF network statement processing (#7943, thanks @jeffkala!)
  • Arista EOS: Do not treat vxlan multicast-groups as VTEPs (#8085, thanks @rmcmilli!)
  • Cisco IOS-XR: support IPv4 and IPv6 access-lists with the same name (#7827)
  • Cisco NX-OS: improved tracking of trunk allowed vlans based on configured vlans (#7936,#7953)
  • JunOS: fix a bug using mixed IPv4-IPv6 prefix-lists (#8060, thanks @rugvedapande!)
  • JunOS: add support for new built-in applications (#8007, thanks @boost on Batfish Slack!)
  • JunOS: handle then permit application-services (#8127, thanks @Justin H on Batfish Slack!)
  • Cisco IOS: Support for portgroup in extended ACLs (#7684, thanks @urskog84!)
  • SearchRoutePolicies: do not crash when analyzing Juniper AS-path regexes (#7984, thanks @djabar!)
  • Cisco ASA: improve dependence tracking for named interfaces (#7810, thanks Dustin Rosarius on Batfish Slack!)
  • Cisco ASA: handle next-hop interface routes (#8138, thanks @jhammond-git!)
  • Cisco IOS: fix parsing dotted ASNs (#8079, thanks @adosztal!)
  • Cisco IOS: Fix missing extraction case for pfs group20 (#7994, thanks @empusas!)
  • Cisco IOS: implement route-map set as-path replace (#8081, thanks @kefins!)
  • Arista EOS: extract 25gfull (#8106, thanks @adosztal!)
  • Cisco IOS: do not model nve1 as an interface (#8107, thanks @adosztal!)

Updates and Deprecations

  • 鈿狅笍 Pybatfish no longer supports Python 3.6.
  • 鈿狅笍 As we continue to work on Layer-1 topology, Batfish will be increasingly strict about enforcing correct input. For example, Layer-1 edges should only be between physical interfaces; future versions of Batfish will ignore (rather than honor) Layer-1 edges where one endpoint is, say, an FRR bond interface or an Arista port-channel. See the new bf.q.userProvidedLayer1Topology question described above.

Installation

To upgrade your local Docker image, run docker pull batfish/allinone then follow the standard instructions to get started.

Contributors

empusas, ton31337, and 9 other contributors
Assets 2