Got questions, feedback, or feature requests? Join our community on Slack!
Batfish is a network configuration analysis tool that can find bugs and guarantee the correctness of (planned or current) network configurations. It enables network engineers to rapidly and safely evolve their network, without fear of outages or security breaches. See www.batfish.org for technical information on how it works.
Batfish does not require access to network devices. It can work with configuration files pulled by tools like RANCID or those generated via templates.
The quickest way to get started is using pre-built Docker containers. Or, you can build from sources.
Batfish is also available as a supported service by Intentionet. Drop a line to [email protected] for more information.
Batfish supports many types of correctness checks, including
- Flag undefined-but-referenced or defined-but-unreferenced structures (e.g., ACLs, route maps)
- Configuration settings for MTUs, AAA, NTP, logging, etc. are correct
- Devices can only be accessed using SSHv2 and password is not null
- BGP sessions and IPSec tunnels are compatibly configured across neighbors
- All interface IP addresses are unique
- Identically-named structures (e.g., ACLs, route maps) across devices have identical functionality
- Sensitive services can be reached only from specific subnets or devices
- Certain services (e.g., DNS) are globally reachable and not blocked by any ACL in the network
- Paths between endpoints are as expected (e.g., traverse a firewall)
- End-to-end reachability is not impacted for any flow after any single-link or -device failure
- Traffic correctly fails over after a failure
- End-to-end reachability is identical across new and old configurations
- Planned ACL or firewall changes are provably correct, including not causing collateral damage for other traffic
- Two configurations, potentially from different vendors, are functionally equivalent
Batfish supports configurations for a large and growing set of (physical and virtual) devices, including:
- Arista
- Aruba
- AWS VPCs
- Cisco (All Cisco NX-OS, IOS, IOS-XR, IOS-XR devices including Cisco ASA)
- Dell Force10
- Foundry
- iptables (on hosts)
- Juniper (All JunOS plaforms: MX, EX, QFX, SRX)
- MRV
- Palo Alto Networks
- Quagga
- Quanta
- VyOS
If you'd like support for additional vendors or currently-unsupported configuration features, let us know via Slackor GitHub. We'll try to add support. Or, you can -- we welcome pull requests! :)