Building a New IPAM System using Netbox and Batfish

Our requirements

We wanted to start with a firm source of truth. This started by modeling what information we wanted to put in Netbox. Everyone is going to have a slightly different way of modeling their network into the Netbox style. I actually made a couple mock ups and documented in git what each model should be filled with. Here are the required items for creating a prefix in our Netbox model:

Site
VLAN group (if attached to a VLAN)
VLAN (if attached to a VLAN)
Tenant
VRF
Description (optional if it isn’t in CID or the config required moving forward)
Status (Active, Reserved, Container, Deprecated)
Role (matching the vlan group role)
Netbox Prefix View
Netbox Prefix View Mockup

Populating Netbox using Batfish

I had an idea that we could scrape the route table for each VRF on our central PE router, then we would determine which prefixes were live on the network. This worked pretty well but it would not have captured information on non-preferred paths.

Index,Node,VRF,Interface,IP,Mask,Active
0,139–1-router2,GREEN,vlan100,192.0.2.253,24,True
1,139–1-router1,GREEN,vlan100,192.0.2.252,24,True
2,139–1-router2,default,vlan101,192.0.3.1,24,True
class prefix:
def __init__(self, network_object):
self.network_object = network_object
self.in_CID = False
self.in_route_table = False
self.in_batfish = False
self.batfish_devices = list()
self.description = None
self.vrf = None
self.role = None #Dev : 2, Prod : 1 , Management : 3
self.interfaces_batfish = list()
self.status = None #Active, Container, Reserved, Deprecated
self.owners_in_CID = [
'not_in_route_table',
'not_in_Batfish',
'not_in_CID',
'api',
'joel'
]
self.vlan_group = None
self.vlan = None
self.in_netbox = False
self.site_id = None
self.vlan_id = None
{
“network_object”: “192.0.2.0/24”,
“in_CID”: true,
“in_route_table”: false,
“in_batfish”: true,
“batfish_devices”: [
“139–1-router2”,
“139-1-router1”
],
“description”: “student_labs”,
“vrf”: “GREEN”,
“role”: null,
“interfaces_batfish”: [
“Vlan100”,
“Vlan100”
],
“status”: null,
“owners_in_CID”: [
“api”,
“joel”,
“Juan Miller”,
“not_in_route_table”,
“Desiree Martinez”
],
“vlan_group”: null,
“vlan”: “100”,
“in_netbox”: false,
“site_id”: 14470,
“vlan_id”: 31159
}

Looking ahead: Automatic, continuous validation

Manual updates are challenging and error-prone. Having used Netbox in production for a year, it’s obvious at this point that we need to build tooling to ensure that our source of truth stays up to date. Our next step is to use Batfish and some of the same code to do a regular audit (e.g., nightly or weekly) that provides a report about prefixes and devices. It would be like “a build your own network discovery” tool. That would really drive out errors both in our configurations and in our source of truth.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store