{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Introduction to Forwarding Analysis using Batfish" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Analyzing how the network forwards packets is one of the most common tasks for network engineers. Typically, it is performed by running `traceroute` between multiple sources and destinations. This process is highly complex even in a moderately-sized network. It also fails to provide strong assurance as only some of the source-destination pairs and some of the packets can be feasibly tested. \n", "\n", "Batfish makes forwarding analysis extremely simple by providing 1) easy-to-use queries over a centralized view of the network; and 2) ability to reason comprehensively about entire spaces of flows. Further, it can perform this analysis proactively, that is, analyze the impact of configuration changes *before* they are pushed to the network. \n", "\n", "In this notebook, we will show you how to perform forwarding analysis with Batfish.\n", "\n", "Check out a video demo of this notebook [here](https://youtu.be/yaJBH3ZZ5Dw)." ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "# Import packages\n", "%run startup.py\n", "bf = Session(host=\"localhost\")" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Setup: Initializing the Network and Snapshot" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "`SNAPSHOT_PATH` below can be updated to point to a custom snapshot directory. See the [Batfish instructions](https://github.com/batfish/batfish/wiki/Packaging-snapshots-for-analysis) for how to package data for analysis.\n", "\n", "More example networks are available in the [networks](https://github.com/batfish/batfish/tree/master/networks) folder of the Batfish repository." ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'example_snapshot'" ] }, "execution_count": 2, "metadata": {}, "output_type": "execute_result" } ], "source": [ "NETWORK_NAME = \"example_network\"\n", "SNAPSHOT_NAME = \"example_snapshot\"\n", "\n", "SNAPSHOT_PATH = \"networks/example\"\n", "\n", "bf.set_network(NETWORK_NAME)\n", "bf.init_snapshot(SNAPSHOT_PATH, name=SNAPSHOT_NAME, overwrite=True)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The network snapshot that we initialized above is illustrated below. You can view or download the devices' configuration files [here](https://github.com/batfish/pybatfish/tree/master/jupyter_notebooks/networks/example).\n", "\n", "![example-network](https://raw.githubusercontent.com/batfish/pybatfish/master/jupyter_notebooks/networks/example/example-network.png)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "All of the information we will show you in this notebook is dynamically computed by Batfish based on the configuration files for the network devices.\n", "\n", "---\n", "\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Batfish Smart Traceroute: Detailed analysis of path(s) of a flow" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "In this section, we will use the [traceroute question](https://pybatfish.readthedocs.io/en/latest/notebooks/forwarding.html#Traceroute) to find the path taken by AS3 core routers to reach the DNS Server (`host1`) in AS2. Traceroute has three (composite) parameters that you can specify, allowing for a variety of queries. We will focus on the two main ones:\n", "\n", "* `startLocation` - where in the network the flow starts\n", "* `headers` - [packet headers](https://pybatfish.readthedocs.io/en/latest/datamodel.html#pybatfish.datamodel.flow.HeaderConstraints) for the flow you are interested in tracing. This is **not** just limited to UDP or ICMP.\n", "\n", "We want the trace to start from the `Loopback0` interface on `as3core1`, and we want to use the IP address of that interface as the source address. For this we set the `startLocation` to `as3core1[Loopback0]`. Batfish automatically chooses the IP address of `Loopback0` as the source IP.\n", "\n", "We set the destination IP address of our virtual packet by specifying `dstIps='ofLocation(host1)'`. Batfish will automatically pick *one of the* IP addresses for `host1` as the destination IP address. See the `ofLocation` function (see [documentation](https://github.com/batfish/batfish/blob/master/questions/Parameters.md#ip-specifier) for more detail).\n", "\n", "To run the query:" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [], "source": [ "# start the traceroute from the Loopback0 interface of as3core1 to host1\n", "headers = HeaderConstraints(dstIps='host1')\n", "tracert = bf.q.traceroute(startLocation=\"as3core1[Loopback0]\", headers=headers).answer().frame()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "To pretty-print the traces in HTML use the `display_html` function. We will show you how to extract more detailed information below." ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
 FlowTracesTraceCount
0Start Location: as3core1
Src IP: 3.10.1.1
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 33434
IP Protocol: UDP		DENIED_IN
1. node: as3core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as3border1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
4. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
6. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
7. node: host1
  RECEIVED(eth0)
  DENIED(filter::INPUT (INGRESS_FILTER))

DENIED_IN
1. node: as3core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as3border1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
4. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet3/0)
5. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
6. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
7. node: host1
  RECEIVED(eth0)
  DENIED(filter::INPUT (INGRESS_FILTER))

DENIED_IN
1. node: as3core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as3border1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: as2dist1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
6. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
7. node: host1
  RECEIVED(eth0)
  DENIED(filter::INPUT (INGRESS_FILTER))

DENIED_IN
1. node: as3core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as3border1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet3/0)
5. node: as2dist2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
6. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
7. node: host1
  RECEIVED(eth0)
  DENIED(filter::INPUT (INGRESS_FILTER))		4
\n" ], "text/plain": [ " Flow \\\n", "0 start=as3core1 [3.10.1.1:49152->2.128.0.101:33434 UDP] \n", "\n", " Traces \\\n", "0 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), DENIED(filter::INPUT (INGRESS_FILTER)))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), DENIED(filter::INPUT (INGRESS_FILTER)))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), DENIED(filter::INPUT (INGRESS_FILTER)))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), DENIED(filter::INPUT (INGRESS_FILTER))))] \n", "\n", " TraceCount \n", "0 4 " ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "show(tracert)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The `Flow` column describes the packet being traced: it starts at `as3core1` using source IP `3.10.1.1` (of `Loopback0`) and and destination IP `2.128.0.101`. By default, `bf.q.traceroute` uses the standard UDP traceroute to destination port `33434`, and Batfish arbitrarily picks the lowest ephemeral source port of `49152`." ] }, { "cell_type": "code", "execution_count": 5, "metadata": {}, "outputs": [ { "data": { "text/html": [ "Start Location: as3core1
Src IP: 3.10.1.1
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 33434
IP Protocol: UDP" ], "text/plain": [ "Flow(dscp=0, dstIp='2.128.0.101', dstPort=33434, ecn=0, fragmentOffset=0, icmpCode=None, icmpVar=None, ingressInterface=None, ingressNode='as3core1', ingressVrf='default', ipProtocol='UDP', packetLength=512, srcIp='3.10.1.1', srcPort=49152, tcpFlagsAck=0, tcpFlagsCwr=0, tcpFlagsEce=0, tcpFlagsFin=0, tcpFlagsPsh=0, tcpFlagsRst=0, tcpFlagsSyn=0, tcpFlagsUrg=0)" ] }, "execution_count": 5, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tracert['Flow'][0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The `Trace` column contains the detailed information provided by Batfish about the paths through the network for each flow. Let's look in detail on the first path:" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [ { "data": { "text/html": [ "DENIED_IN
1. node: as3core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 3.0.1.1, Routes: [ibgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as3border1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 10.23.21.2, Routes: [bgp (Network: 2.128.0.0/16, Next Hop: ip 10.23.21.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
4. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
6. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
7. node: host1
  RECEIVED(eth0)
  DENIED(filter::INPUT (INGRESS_FILTER))" ], "text/plain": [ "Trace(disposition='DENIED_IN', hops=[Hop(node='as3core1', steps=[Step(detail=OriginateStepDetail(originatingVrf='default'), action='ORIGINATED'), Step(detail=RoutingStepDetail(routes=[RouteInfo(protocol='ibgp', network='2.128.0.0/16', nextHop=NextHopIp(ip='10.23.21.2', type='ip'), nextHopIp=None, admin=200, metric=50)], forwardingDetail=ForwardedOutInterface(outputInterface='GigabitEthernet1/0', resolvedNextHopIp='3.0.1.1', type='ForwardedOutInterface'), arpIp='3.0.1.1', outputInterface='GigabitEthernet1/0'), action='FORWARDED'), Step(detail=ExitOutputIfaceStepDetail(outputInterface='GigabitEthernet1/0', transformedFlow=None), action='TRANSMITTED')]), Hop(node='as3border1', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='GigabitEthernet0/0', inputVrf='default'), action='RECEIVED'), Step(detail=RoutingStepDetail(routes=[RouteInfo(protocol='bgp', network='2.128.0.0/16', nextHop=NextHopIp(ip='10.23.21.2', type='ip'), nextHopIp=None, admin=20, metric=50)], forwardingDetail=ForwardedOutInterface(outputInterface='GigabitEthernet1/0', resolvedNextHopIp='10.23.21.2', type='ForwardedOutInterface'), arpIp='10.23.21.2', outputInterface='GigabitEthernet1/0'), action='FORWARDED'), Step(detail=ExitOutputIfaceStepDetail(outputInterface='GigabitEthernet1/0', transformedFlow=None), action='TRANSMITTED')]), Hop(node='as2border2', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='GigabitEthernet0/0', inputVrf='default'), action='RECEIVED'), Step(detail=FilterStepDetail(filter='OUTSIDE_TO_INSIDE', filterType='INGRESS_FILTER', inputInterface='GigabitEthernet0/0', flow=Flow(dscp=0, dstIp='2.128.0.101', dstPort=33434, ecn=0, fragmentOffset=0, icmpCode=None, icmpVar=None, ingressInterface=None, ingressNode='as3core1', ingressVrf='default', ipProtocol='UDP', packetLength=512, srcIp='3.10.1.1', srcPort=49152, tcpFlagsAck=0, tcpFlagsCwr=0, tcpFlagsEce=0, tcpFlagsFin=0, tcpFlagsPsh=0, tcpFlagsRst=0, tcpFlagsSyn=0, tcpFlagsUrg=0)), action='PERMITTED'), Step(detail=RoutingStepDetail(routes=[RouteInfo(protocol='ibgp', network='2.128.0.0/24', nextHop=NextHopIp(ip='2.34.101.4', type='ip'), nextHopIp=None, admin=200, metric=50), RouteInfo(protocol='ibgp', network='2.128.0.0/24', nextHop=NextHopIp(ip='2.34.201.4', type='ip'), nextHopIp=None, admin=200, metric=50)], forwardingDetail=ForwardedOutInterface(outputInterface='GigabitEthernet1/0', resolvedNextHopIp='2.12.22.2', type='ForwardedOutInterface'), arpIp='2.12.22.2', outputInterface='GigabitEthernet1/0'), action='FORWARDED'), Step(detail=ExitOutputIfaceStepDetail(outputInterface='GigabitEthernet1/0', transformedFlow=None), action='TRANSMITTED')]), Hop(node='as2core2', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='GigabitEthernet0/0', inputVrf='default'), action='RECEIVED'), Step(detail=RoutingStepDetail(routes=[RouteInfo(protocol='ibgp', network='2.128.0.0/24', nextHop=NextHopIp(ip='2.34.201.4', type='ip'), nextHopIp=None, admin=200, metric=50)], forwardingDetail=ForwardedOutInterface(outputInterface='GigabitEthernet2/0', resolvedNextHopIp='2.23.22.3', type='ForwardedOutInterface'), arpIp='2.23.22.3', outputInterface='GigabitEthernet2/0'), action='FORWARDED'), Step(detail=ExitOutputIfaceStepDetail(outputInterface='GigabitEthernet2/0', transformedFlow=None), action='TRANSMITTED')]), Hop(node='as2dist2', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='GigabitEthernet0/0', inputVrf='default'), action='RECEIVED'), Step(detail=RoutingStepDetail(routes=[RouteInfo(protocol='bgp', network='2.128.0.0/24', nextHop=NextHopIp(ip='2.34.201.4', type='ip'), nextHopIp=None, admin=20, metric=50)], forwardingDetail=ForwardedOutInterface(outputInterface='GigabitEthernet2/0', resolvedNextHopIp='2.34.201.4', type='ForwardedOutInterface'), arpIp='2.34.201.4', outputInterface='GigabitEthernet2/0'), action='FORWARDED'), Step(detail=ExitOutputIfaceStepDetail(outputInterface='GigabitEthernet2/0', transformedFlow=None), action='TRANSMITTED')]), Hop(node='as2dept1', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='GigabitEthernet1/0', inputVrf='default'), action='RECEIVED'), Step(detail=RoutingStepDetail(routes=[RouteInfo(protocol='connected', network='2.128.0.0/24', nextHop=NextHopInterface(interface='GigabitEthernet2/0', ip=None, type='interface'), nextHopIp=None, admin=0, metric=0)], forwardingDetail=ForwardedOutInterface(outputInterface='GigabitEthernet2/0', resolvedNextHopIp=None, type='ForwardedOutInterface'), arpIp=None, outputInterface='GigabitEthernet2/0'), action='FORWARDED'), Step(detail=ExitOutputIfaceStepDetail(outputInterface='GigabitEthernet2/0', transformedFlow=None), action='TRANSMITTED')]), Hop(node='host1', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='eth0', inputVrf='default'), action='RECEIVED'), Step(detail=FilterStepDetail(filter='filter::INPUT', filterType='INGRESS_FILTER', inputInterface='eth0', flow=Flow(dscp=0, dstIp='2.128.0.101', dstPort=33434, ecn=0, fragmentOffset=0, icmpCode=None, icmpVar=None, ingressInterface=None, ingressNode='as3core1', ingressVrf='default', ipProtocol='UDP', packetLength=512, srcIp='3.10.1.1', srcPort=49152, tcpFlagsAck=0, tcpFlagsCwr=0, tcpFlagsEce=0, tcpFlagsFin=0, tcpFlagsPsh=0, tcpFlagsRst=0, tcpFlagsSyn=0, tcpFlagsUrg=0)), action='DENIED')])])" ] }, "execution_count": 6, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tracert['Traces'][0][0] # Get the trace for the first path of the first flow" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "This flow starts at `as3core1` and crosses from AS3 into AS2 via the border routers `as3border1` and `as2border2`; on `as2border2`, the flow is permitted by the inbound ACL `OUTSIDE_TO_INSIDE`. Once inside AS2, the flow is forwarded through AS2's core and distribution servers to the department router. The flow does reach `host1`, but is blocked by that server iptables rule `filter::INPUT` on `eth0`." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The `TraceCount` column reports the total number of paths for each flow. In this example, the count `4` matches the four paths we saw in the `Traces` column. These are all the best-cost paths inside AS2 -- the flow can go through either `as2core1` or `as2core2` and either `as2dist1` or `as2dist2`.\n", "\n", "Detail: `TraceCount` may not always match the `TracesColumn`: in networks with high ECMP, there may be hundreds or even thousands of traces even for a single flow, in which case the `Traces` column will produce fewer results.\n", "\n" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "4" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "tracert['TraceCount'][0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "To programmatically get the _detailed_ information about the final hop of the first trace in pure Python form:" ] }, { "cell_type": "code", "execution_count": 8, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "\"Hop(node='host1', steps=[Step(detail=EnterInputIfaceStepDetail(inputInterface='eth0', inputVrf='default'), action='RECEIVED'), Step(detail=FilterStepDetail(filter='filter::INPUT', filterType='INGRESS_FILTER', inputInterface='eth0', flow=Flow(dscp=0, dstIp='2.128.0.101', dstPort=33434, ecn=0, fragmentOffset=0, icmpCode=None, icmpVar=None, ingressInterface=None, ingressNode='as3core1', ingressVrf='default', ipProtocol='UDP', packetLength=512, srcIp='3.10.1.1', srcPort=49152, tcpFlagsAck=0, tcpFlagsCwr=0, tcpFlagsEce=0, tcpFlagsFin=0, tcpFlagsPsh=0, tcpFlagsRst=0, tcpFlagsSyn=0, tcpFlagsUrg=0)), action='DENIED')])\"" ] }, "execution_count": 8, "metadata": {}, "output_type": "execute_result" } ], "source": [ "last_hop = tracert['Traces'][0][0].hops[-1]\n", "repr(last_hop)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Note that compared to running traceroute on a router, **Batfish is able to provide much more detail about the trace**:\n", "\n", "1. All active parallel paths between the source and destination\n", "1. The reason why each hop in a path is taken (the specific routing entry that was matched)\n", "1. All processing steps inside each hop on the path\n", "1. All interfaces visited and filters encountered during the trace\n", "1. The disposition of the flow for each path" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Batfish Reachability: Search for forwarding behaviors in (large) spaces of flows\n", "\n", "Batfish's smart traceroute provides detailed information about all paths taken by a specified flow through the network, which is a powerful capability for exploring and testing network behavior. However, network engineers often need information about some *type* of flow, without being able to specify a particular flow of that type. For example, we may want to know what TCP flows can (or cannot) reach a particular host. In other words, we want to search within the (huge!) space of TCP flows addressed to that host. Batfish's\n", "[reachability question](https://pybatfish.readthedocs.io/en/latest/notebooks/forwarding.html#Reachability) \n", "is an easy and efficient way to perform exactly this kind of search.\n", "\n", "### Example 1: Search for DNS flows that reach the DNS server\n", "Continuing with our running example, let's search for DNS flows within AS2 that reach our DNS server `host1`. The parameter `srcIps='0.0.0.0/0'` tells Batfish to search within the entire space of source IP addresses. \n", "\n", "Detail: In traceroute `ofLocation(host1)` specified a single IP address of `host1` (chosen arbitrarily). In reachability, it specifies to search over *all* IP addresses of `host1`." ] }, { "cell_type": "code", "execution_count": 9, "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
 FlowTracesTraceCount
0Start Location: as2border1
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2border1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		4
1Start Location: as2border2
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2border2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		4
2Start Location: as2core1
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2dist1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2core1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet3/0)
2. node: as2dist2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		2
3Start Location: as2core2
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2core2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2core2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet3/0)
2. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		2
4Start Location: as2dept1
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2dept1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		1
5Start Location: as2dist1
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2dist1
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		1
6Start Location: as2dist2
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2dist2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		1
\n" ], "text/plain": [ " Flow \\\n", "0 start=as2border1 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "1 start=as2border2 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "2 start=as2core1 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "3 start=as2core2 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "4 start=as2dept1 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "5 start=as2dist1 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "6 start=as2dist2 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "\n", " Traces \\\n", "0 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "1 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "2 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "3 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "4 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "5 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "6 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "\n", " TraceCount \n", "0 4 \n", "1 4 \n", "2 2 \n", "3 2 \n", "4 1 \n", "5 1 \n", "6 1 " ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "path = PathConstraints(startLocation=\"/as2/\")\n", "headers = HeaderConstraints(srcIps=\"0.0.0.0/0\", dstIps=\"host1\", applications=\"DNS\")\n", "reach = bf.q.reachability(pathConstraints=path, headers=headers, actions=\"success\").answer().frame()\n", "show(reach)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "As you can see, this query found *some* DNS flow entering the network at *each* `as2...` node destined for `host1` that would be delivered. This guarantees that DNS is at least partially available (some authorized nodes can reach `host1`). \n", "\n", "## Using Batfish Reachability as a verification tool\n", "\n", "Batfish's reachability analysis performs an *exhaustive* search, considering every possible flow. This makes it a very powerful tool for finding bugs, and when no bugs are found, it provides **strong guarantees** about the network behavior. It allows you to **verify** essential network properties like availability or security (i.e., presence or absence of reachability). In the following examples shows we'll use reachability to verify the intended availability and security properties of our DNS server.\n", "\n", "### Example 2: Verify that the DNS server is available *everywhere* inside AS2 \n", "To verify DNS is available inside of AS2, we search for flows that would demonstrate a lack of availability -- i.e. DNS flows to `host1` that would **fail** to be delivered. Our intent in this case is that no such flows should exist in the network, and this is where we see the power of exhaustive search. If Batfish does not find any dropped DNS flows to `host1`, we have **verified** availability. \n", "\n" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
FlowTracesTraceCount
\n", "
" ], "text/plain": [ "Empty DataFrame\n", "Columns: [Flow, Traces, TraceCount]\n", "Index: []" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "path = PathConstraints(startLocation=\"/as2/\")\n", "headers = HeaderConstraints(dstIps=\"host1\", applications=\"DNS\")\n", "reach = bf.q.reachability(pathConstraints=path, headers=headers, actions=\"failure\").answer().frame()\n", "show(reach)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The fact that Batfish returned 0 flows guarantees that `host1` is reachable via DNS from everywhere within AS2. This guarantees that DNS is available to all authorized nodes." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Example 3: No UDP traffic except DNS is accessible on host1\n", "Next, let's verify a security property: that no UDP traffic other than DNS will reach `host1`. We do this by searching for any UDP flows **accepted** by `host1` that are **not DNS**:" ] }, { "cell_type": "code", "execution_count": 11, "metadata": {}, "outputs": [ { "data": { "text/html": [ "
\n", "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
FlowTracesTraceCount
\n", "
" ], "text/plain": [ "Empty DataFrame\n", "Columns: [Flow, Traces, TraceCount]\n", "Index: []" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "path = PathConstraints(startLocation=\"/as2/\")\n", "headers = HeaderConstraints(srcIps=\"0.0.0.0/0\", dstIps=\"host1\", ipProtocols=\"UDP\", dstPorts=\"!53\")\n", "reach = bf.q.reachability(pathConstraints=path, headers=headers, actions=\"accepted\").answer().frame()\n", "show(reach)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Success! Since Batfish returned 0 flows, we are guaranteed that no unauthorized UDP flows will reach `host1`." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Example 4: Verify that the DNS server is not reachable from *anywhere* outside AS2 \n", "Next, let's verify that no DNS traffic from *outside* of AS2 can reach `host1`. We can do this by searching for flows starting from the border interfaces (`GigabitEthernet0/0` on AS2 border routers).\n", "\n", "_Details_: We use the [enter function](https://github.com/batfish/batfish/blob/master/questions/Parameters.md#interface-specifier) to model that traffic is received on the interface rather than starting from a border router. If we did not relax source IP to `0.0.0.0/0`, only source IP addresses within the connected subnet of the border interfaces would be included in the search." ] }, { "cell_type": "code", "execution_count": 12, "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
 FlowTracesTraceCount
0Start Location: as2border1 interface=GigabitEthernet0/0
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2border1
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border1
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border1
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border1
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		4
1Start Location: as2border2 interface=GigabitEthernet0/0
Src IP: 10.0.0.0
Src Port: 49152
Dst IP: 2.128.0.101
Dst Port: 53
IP Protocol: UDP		ACCEPTED
1. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2core2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2dist1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)

ACCEPTED
1. node: as2border2
  RECEIVED(GigabitEthernet0/0)
  PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER))
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet3/0)
3. node: as2dist2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)])
  TRANSMITTED(GigabitEthernet2/0)
4. node: as2dept1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)])
  TRANSMITTED(GigabitEthernet2/0)
5. node: host1
  RECEIVED(eth0)
  PERMITTED(filter::INPUT (INGRESS_FILTER))
  ACCEPTED(eth0)		4
\n" ], "text/plain": [ " Flow \\\n", "0 start=as2border1 interface=GigabitEthernet0/0 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "1 start=as2border2 interface=GigabitEthernet0/0 [10.0.0.0:49152->2.128.0.101:53 UDP] \n", "\n", " Traces \\\n", "0 [((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.12.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "1 [((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.22.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.11.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.101.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0))), ((RECEIVED(GigabitEthernet0/0), PERMITTED(OUTSIDE_TO_INSIDE (INGRESS_FILTER)), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.101.4),ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.12.3, Routes: [ibgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.34.201.4, Routes: [bgp (Network: 2.128.0.0/24, Next Hop: ip 2.34.201.4)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0, Routes: [connected (Network: 2.128.0.0/24, Next Hop: interface GigabitEthernet2/0)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(eth0), PERMITTED(filter::INPUT (INGRESS_FILTER)), ACCEPTED(eth0)))] \n", "\n", " TraceCount \n", "0 4 \n", "1 4 " ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "path = PathConstraints(startLocation=\"@enter(/as2border/[GigabitEthernet0/0])\")\n", "headers = HeaderConstraints(srcIps=\"0.0.0.0/0\", dstIps=\"host1\", applications=\"DNS\")\n", "reach = bf.q.reachability(pathConstraints=path, headers=headers, actions=\"success\").answer().frame()\n", "show(reach)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "We found that the DNS server is **not** secure: external DNS traffic can reach `host1`! However, we did find where to look: in all likelihood, the `OUTSIDE_TO_INSIDE` ACL on the border router should be blocking more DNS traffic." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Multipath Consistency: Verify consistent treatment of a flow across all paths" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Finally, we will demonstrate an **experimental** feature to detect an important class of reachability bugs in any network with *no* user input: the `multipathconsistency` check. This question will report find flows with multipath routing where some paths reach the destination and some paths fail. Multipath inconsistencies are almost always bugs, and may be a sign that the network is not robust to failures.\n", "\n", "In this example network there are mutiple multipath consistencies; for conciseness we show only the first result." ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "data": { "text/html": [ "\n", "\n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", " \n", "
 FlowTracesTraceCount
0Start Location: as2core2
Src IP: 2.1.2.2
Src Port: 49152
Dst IP: 2.1.2.1
Dst Port: 23
IP Protocol: TCP (SYN)		ACCEPTED
1. node: as2core2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 2.12.22.1, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet0/0 ip 2.12.22.1)])
  TRANSMITTED(GigabitEthernet0/0)
2. node: as2border2
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet2/0 ip 2.12.21.2)])
  TRANSMITTED(GigabitEthernet2/0)
3. node: as2core1
  RECEIVED(GigabitEthernet1/0)
  ACCEPTED(Loopback0)

ACCEPTED
1. node: as2core2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.12.1, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet1/0 ip 2.12.12.1)])
  TRANSMITTED(GigabitEthernet1/0)
2. node: as2border1
  RECEIVED(GigabitEthernet2/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet1/0 ip 2.12.11.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2core1
  RECEIVED(GigabitEthernet0/0)
  ACCEPTED(Loopback0)

DENIED_IN
1. node: as2core2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet2/0 ip 2.23.22.3)])
  TRANSMITTED(GigabitEthernet2/0)
2. node: as2dist2
  RECEIVED(GigabitEthernet0/0)
  FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.23.12.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet1/0 ip 2.23.12.2)])
  TRANSMITTED(GigabitEthernet1/0)
3. node: as2core1
  RECEIVED(GigabitEthernet3/0)
  DENIED(blocktelnet (INGRESS_FILTER))

DENIED_IN
1. node: as2core2
  ORIGINATED(default)
  FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet3/0 ip 2.23.21.3)])
  TRANSMITTED(GigabitEthernet3/0)
2. node: as2dist1
  RECEIVED(GigabitEthernet1/0)
  FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 2.23.11.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet0/0 ip 2.23.11.2)])
  TRANSMITTED(GigabitEthernet0/0)
3. node: as2core1
  RECEIVED(GigabitEthernet2/0)
  DENIED(blocktelnet (INGRESS_FILTER))		4
\n" ], "text/plain": [ " Flow \\\n", "0 start=as2core2 [2.1.2.2:49152->2.1.2.1:23 TCP (SYN)] \n", "\n", " Traces \\\n", "0 [((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 2.12.22.1, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet0/0 ip 2.12.22.1)]), TRANSMITTED(GigabitEthernet0/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.12.21.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet2/0 ip 2.12.21.2)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet1/0), ACCEPTED(Loopback0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.12.1, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet1/0 ip 2.12.12.1)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet2/0), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.12.11.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet1/0 ip 2.12.11.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet0/0), ACCEPTED(Loopback0))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet2/0 with resolved next-hop IP: 2.23.22.3, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet2/0 ip 2.23.22.3)]), TRANSMITTED(GigabitEthernet2/0)), (RECEIVED(GigabitEthernet0/0), FORWARDED(Forwarded out interface: GigabitEthernet1/0 with resolved next-hop IP: 2.23.12.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet1/0 ip 2.23.12.2)]), TRANSMITTED(GigabitEthernet1/0)), (RECEIVED(GigabitEthernet3/0), DENIED(blocktelnet (INGRESS_FILTER)))), ((ORIGINATED(default), FORWARDED(Forwarded out interface: GigabitEthernet3/0 with resolved next-hop IP: 2.23.21.3, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet3/0 ip 2.23.21.3)]), TRANSMITTED(GigabitEthernet3/0)), (RECEIVED(GigabitEthernet1/0), FORWARDED(Forwarded out interface: GigabitEthernet0/0 with resolved next-hop IP: 2.23.11.2, Routes: [ospf (Network: 2.1.2.1/32, Next Hop: interface GigabitEthernet0/0 ip 2.23.11.2)]), TRANSMITTED(GigabitEthernet0/0)), (RECEIVED(GigabitEthernet2/0), DENIED(blocktelnet (INGRESS_FILTER))))] \n", "\n", " TraceCount \n", "0 4 " ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "multipath = bf.q.multipathConsistency().answer().frame()\n", "first_result = multipath.head(1) # this check returns many results, just show 1\n", "show(first_result)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The above trace shows that traffic from `as2core2` to `as2core1` can take four paths: through either of the two border routers or through either distribution router. However, telnet traffic will be blocked for only two of these four paths: the ones that traverse the distribution layer." ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "\n", "\n", "## Wrap-up\n", "\n", "This concludes the notebook. To recap, we covered the foundational tasks for path analysis:\n", "\n", "1. We performed a traceroute to check connectivity to `host1`\n", "2. Analyzed detailed path & hop information for the traceroute\n", "3. Explored a space of flows with the reachablity question and found an ACL bug that allows some external clients to reach the DNS server\n", "4. Perfomed a security check that ensures that only SSH and DNS traffic can reach `host1`\n", "5. Found multipath inconsistency in the network, for which only some paths result in successful communication\n", "\n", "We hope you found this notebook useful and informative. Future notebooks will dive into more advanced topics ensuring planned configuration changes do not have unintended consequences. Stay tuned!\n", "\n", "### Want to learn more? \n", "\n", "Reach out to us through [Slack](https://join.slack.com/t/batfish-org/shared_invite/enQtMzA0Nzg2OTAzNzQ1LTcyYzY3M2Q0NWUyYTRhYjdlM2IzYzRhZGU1NWFlNGU2MzlhNDY3OTJmMDIyMjQzYmRlNjhkMTRjNWIwNTUwNTQ) or [GitHub](https://github.com/batfish/batfish) to learn more, or send feedback." ] } ], "metadata": { "hide_input": false, "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.9.15" } }, "nbformat": 4, "nbformat_minor": 1 }