Scribd
Upload
85 views8 pages

Batfish Notes - Building Test Network

This document provides information about building test networks and obtaining AWS configuration data to analyze in Batfish. It includes: 1) Instructions for building example test networks with multiple autonomous systems and configuring individual routers and hosts. 2) A Python library that can retrieve AWS configuration data like availability zones, internet gateways, security groups, and VPCs. 3) Steps for loading the network and snapshot data into Batfish including initializing the data, viewing routing tables, and selecting routes from specific devices.

Uploaded by

Douglas Fraser
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views8 pages

Batfish Notes - Building Test Network

This document provides information about building test networks and obtaining AWS configuration data to analyze in Batfish. It includes: 1) Instructions for building example test networks with multiple autonomous systems and configuring individual routers and hosts. 2) A Python library that can retrieve AWS configuration data like availability zones, internet gateways, security groups, and VPCs. 3) Steps for loading the network and snapshot data into Batfish including initializing the data, viewing routing tables, and selecting routes from specific devices.

Uploaded by

Douglas Fraser
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Batfish notes

Build network data


For training purposes, must build a test network in order to analyze

Batfish comes with built in example below. This encompasses three AS regions, with two host endpoints.
Each AS has the required border routers and at least one core router. The host AS has a three tier stack
(dual board, two set dual core) going to a “department” router linked to the two hosts.

1. Configs – need configs for each node (all the routers)


a. as1border1.cfg
i. version 15.2
ii. service timestamps debug and log
iii. hostname as1border1
iv. no aaa
v. no ip icmp rate-limit
vi. ip cef
1. cisco express forwarding

2.
vii. Multilink bundle-name authenticated
1. influences how IOS locally names the created multilink bundles for
local identification and management purposes. Consider two
routers, R1 and R2, interconnected with two parallel serial links
S1/0 and S1/1
a. multilink bundle-name authenticated - Cisco Community
viii. Ip tcp synwait-time 5
1. To set a period of time the switch waits while attempting to establish a
TCP connection before it times out, use the ip tcp synwait-time global
configuration command
ix. Interface loopback0
x. Interface Ethernet0/0
1. The hardware names of physical interfaces can include Ethernet0/0,
Management0/0, and GigabitEthernet1/0. Hardware names of VLAN
interfaces have a subinterface suffix, such as Ethernet0/0.1. Hardware
names are predefined and cannot be changed. Interface name: Specifies
the function of the interface, relative to its security posture.
xi. Gigethernet
1. 0/0, 1/0
2. Ip address
3. Define media type (gbic, etc)
4. Speed
5. Duplex – full, half
6. Negotiation – auto or set manual
xii. Router ospf 1
1. The router ospf (Open Shortest Path First) command is necessary to
enable ospf. OSPF must be enabled before carrying out any of the ospf
commands. OSPF was designed to be an Interior Gateway Protocol
replacing RIP. Routers that use OSPF check the status of other routers
on the network by sending a “hello” packet at set intervals.
2. When an outage occurs, OSPF floods the network sending out routing
updates to every router. Those routers then send out the routing
update, flooding the network. OSPF runs almost silent when possible,
and floods the network when necessary to ensure routing information
gets propagated throughout the network as quickly as possible.
3. Names router-id as 1.1.1.1
4. Redistribute connected subnets
5. Passive interface loopback0
6. Network 1.0.0.0 0.255.255.255 area 1
xiii.
b. as1border2.cfg
c. as1core1.cfg
i. similar configs to border
1. version
2. hostname
3. boot start and end
4. logging host
5. no aaa
6. no ip icmp
7. interface loopback
8. unique ip address
9. Ethernet and gigeE interfaces
10. Router ospf
11. Router bgp
12. Address-family ipv4
ii. No rules
iii. No external AS neighbors
iv. No route-map
d. Other routers
i. as2border1.cfg
ii. as2border2.cfg
iii. as2core1.cfg
iv. as2core2.cfg
v. as2dept1.cfg
vi. as2dist1.cfg
vii. as2dist2.cfg
viii. as3border1.cfg
ix. as3border2.cfg
x. as3core1.cfg
2. Hosts
a. Json file

"hostname" : "host1",

"iptablesFile" : "iptables/host1.iptables",

"hostInterfaces" : {

"eth0" : {

"name": "eth0",

"prefix" : "2.128.0.101/24",

"gateway": "2.128.0.1"

3. Iptables
a. Host iptables
i. # Generated by iptables-save v1.4.7
ii. *mangle
iii. :PREROUTING ACCEPT [16586:1618694]
iv. :INPUT ACCEPT [16586:1618694]
v. :FORWARD ACCEPT [0:0]
vi. :OUTPUT ACCEPT [18957:2978114]
vii. :POSTROUTING ACCEPT [18957:2978114]
viii. COMMIT
ix. # Generated by iptables-save v1.4.7
x. *filter
xi. :INPUT DROP [157:11076]
xii. :FORWARD ACCEPT [0:0]
xiii. :OUTPUT ACCEPT [114:18840]
xiv. -A INPUT -p udp --dport 53 -j ACCEPT
xv. -A INPUT -p tcp --dport 22 -j ACCEPT
xvi. COMMIT
xvii. # Generated by iptables-save v1.4.7 on Thu Dec 5 07:40:27 2013
xviii. *nat
xix. :PREROUTING ACCEPT [1695:100150]
xx. :POSTROUTING ACCEPT [1626:121319]
xxi. :OUTPUT ACCEPT [1626:121319]
xxii. COMMIT

AWS network

Considerably more data and configs for a cloud or hybrid network when compared to the simple 3 AS
sample network

GET AWS configs with this python library

GitHub - ratulm/bf-aws-snapshot

1. AWS configs
a. Region – us-ease and us-west
i. Us-east
1. Addresses
2. Avail zones

"AvailabilityZones": [
{
"Messages": [],
"RegionName": "us-east-2",
"State": "available",
"ZoneId": "use2-az1",
"ZoneName": "us-east-2a"
},
3. Cust gateways

"CustomerGateways": [

"BgpAsn": "65100",

"CustomerGatewayId": "cgw-0d7410421c0d7799e",

"IpAddress": "147.75.69.27",

"State": "available",

"Tags": [],

"Type": "ipsec.1"

4. Elasticsearch domains

"DomainStatusList": []

5. Internet gateways

"InternetGateways": [

"Attachments": [

"State": "available",

"VpcId": "vpc-0574d08f8d05917e4"

],

"InternetGatewayId": "igw-02fd68f94367a67c7",

"OwnerId": "554773406868",

"Tags": [

{
"Key": "Name",

"Value": "igw-1"

6. Nat gateways

"NatGateways": []

7. Network ACLs

"NetworkAcls": [

"Associations": [

"NetworkAclAssociationId": "aclassoc-03d754ed89de8572d",

"NetworkAclId": "acl-09c0bb4e71ae5f9e4",

"SubnetId": "subnet-06a692ed4ef84368d"

},

"NetworkAclAssociationId": "aclassoc-0b2106b6bf2ae41e8",

"NetworkAclId": "acl-09c0bb4e71ae5f9e4",

"SubnetId": "subnet-0333a0749ea4ce3df"

],

"Entries": [

"CidrBlock": "0.0.0.0/0",

"Egress": true,

"Protocol": "-1",

"RuleAction": "allow",

"RuleNumber": 100

},

8. Network interfaces
9. Prefix list
10. Rds instances
11. Reservations
12. Route tables
13. Security groups
14. Subnets
15. Transit gateway
a. Attachmetns
b. Propogations
c. Route tables
d. Static routes
e. VPC attachments
16. VPC
a. Endpoints
b. Endpoint services
c. Peering connections
d. Gateways

Loading Data

4. To load data
a. %run startup.py
i. Loads logging, pandas, random, ipython display
b. Initialize data
i. Network_name = “”
ii. Snapshot_name = “”
iii. Snapshot_path = path/name
iv. Bf_set_network(Network_name)
1. Bf calls the pybatfish library
v. Bf_init_snapshot(path, name=name, overwrite=true)
5. View routing tables for devices and VRFs
a. All = bfq.routes().answer().frame)()
i. Bfq – batfish query (questions)
ii. Answer().frame() – standard way to call and view result in pandas frame
6. Select routes from dvices
a. Option 1 – request info from bf by passing parameters into routes() question
i. Limited to regular expressions filtering VRF, node, network, and protocol
ii. Bfq.routes(nodes=”OR1”, vrfs=”default”).answer().frame()
b. Option 2
i. Filter output of routes using pandas APIs
1. routes_as1border = routes_all[(routes_all['Node'].str.contains('OR1')) &
(routes_all['VRF'] == 'default')]
2. routes_as1border

3. shows node, vrf, network, next hop, next hop IP, interface, protocol,
7. BGP learnt routes for default VRF on border routers
a. Bfq.routes(nodes=”OR1”, vrfs=default, protocols=”bgp”).answer().frame()
b.

You might also like