Network automation has numerous benefits for organizations adopting a DevOps model for managing their infrastructure, including speed, agility, and a consistent change control process. However, with improvements in speed, there comes an added risk of configuration errors rapidly propagating through the network. To safeguard against potential mistakes, network and security verification become an essential part of the network DevOps lifecycle. This page outlines an approach to pre-change and post-change network and security verification using Forward Enterprise and CloudVision to continuously validate that the network is compliant with security and availability policies.
Arista CloudVision is a network-wide approach for workload orchestration, workflow automation, and real-time telemetry as a turnkey solution for Cloud Networking.
CloudVision’s network-wide perspective delivers a more efficient approach for several operational and network telemetry use-cases:
• Centralized representation of distributed network state, allowing for a single point of integration and network-wide visibility
• Turn-key automation for initial and ongoing zero-touch provisioning, configuration management and network-wide change
management, including automated upgrades, network rollback, and network snapshots
• Compliance dashboard for security, audit, and patch management
• Real-time state streaming for network telemetry and analytics
• State repository, analytics engines, and telemetry apps to provide an unprecedented level of granularity in real-time monitoring
and historic network state for forensic troubleshooting
The Forward Enterprise platform provides network intelligence that makes networks more predictable, agile and secure. Forward
Enterprise generates a vendor-neutral software abstraction (digital twin) that models the entire multi-vendor network infrastructure
including switches, routers, firewalls, and load balancers, both on-premises and in the cloud.
With available REST APIs, it easily integrates into new and existing network management workflows.
Forward Enterprise enables network, security, cloud engineers, and operators to:
• Search: search network behavior, configuration, and state network-wide with an intuitive and powerful interface. Find
any device in the network, including its connections and all forwarding behavior for fast root-cause isolation and incident
remediation. Perform complete end-to-end path analyses across the network for both on-prem and multi-cloud infrastructure
(support for AWS, Azure, and Google Cloud Platform).
• Verify: verify that the network is configured and behaving exactly as intended across on-prem, cloud, and virtual overlay
networks. Set, verify, and customize policies for the entire network. Continuously audit the network and receive timely,
• Security: enhance the network’s security posture with automated security posture connectivity analysis, blast radius of
compromised hosts, enhanced automated vulnerability analysis, and cloud security verification.
• Behavior Diffs: side-by-side comparison in one quick view of configuration file and state changes for any device, between
any points in time. Identify what policy rules and behavior checks have changed between snapshots. Quickly see new device
connections, topology changes, and interface updates. Learn how routes are altered due to changes with the ability to filter
results by VRF, next-hop address, IP destination, and more.
• Network Query Engine (NQE): query the network like a database. Define and perform custom verification checks.
• Predict: understand the outcome of network configuration changes for ACL and NAT environments. Proactively identify
potential connectivity and security policy violations.
• Dashboard: see key network insights with visualizations that are easily consumable and exportable.
CloudVision and Forward Enterprise Integrated Workflow
Figure 1: CloudVision and Forward Integrated Workflow
With this CloudVision and Forward Enterprise integration, users get a turn-key network verification platform that fits into any
operational workflow. Operators can prevent mistakes from propagating the entire network by using CloudVision to:
• Provide a single pane of glass to manage device software and configuration.
• Propose a change for one or more devices and analyze it to ensure it is feasible.
• Request a new pre-change network snapshot from the Forward Enterprise platform using an API call.
• Deploy the configuration change to the network.
• Provide real-time monitoring of the network and track the configuration changes over time.
• After the change is complete, send another API call to Forward Enterprise triggering another network snapshot and create
a comprehensive report of the differences in the network between the pre-change and post-change. The Forward report
includes configuration file and state, policy rules, behavior checks, device connections, interface, routes. Additionally, it will run
automated Network Query Engine
queries and validation tests.
Figure 2: Forward Enterprise pre- and post-change report
Forward Enterprise is key to continuously ensure that the network is compliant with security and availability policies. Interested in exploring the benefits of Forward Enterprise for your specific network needs? Request a demo