In Part 1 of this blog, I discussed the power of network verification compared to traditional network testing. Verification is the mathematical and logical analysis of your current network configurations and state to detect and highlight violations of your policies and intent. Verification can take you from being "Pretty Sure" your network is configured correctly, to being "Absolutely Sure" your intent is represented in the network. This capability is delivered in Forward Enterprise, our full-featured platform designed for large enterprise and provider networks, including multi-site data centers, private clouds, corporate backbones and telco-class infrastructure.
It is important to note that Forward Enterprise is not a monitoring or performance management tool. In fact, it doesn’t look at live traffic. Forward Networks creates a software model based on a snapshot of the network, and can perform end-to-end analysis of the range of possible behaviors under all scenarios and conditions. It doesn’t test a packet going over the link, it will find the boundary conditions that you haven't thought to test for. That will allow you to head off problems before they occur. And help you avoid tedious weeks of box-by-box analysis and root cause research.
It all starts with collection and search...
Forward Enterprise builds a software model of your network after collecting all configuration and state information from each device. Much like Google crawls the Internet for new content and links between web sites, Forward crawls devices and organizes a snapshot of all network links and information. We even understand subtle behavior differences between specific networking or firewall vendors to ensure accurate analysis of traffic behavior in the live network. From the collection, Forward builds a complete inventory and topology diagram.
Most of our customers find this initial inventory and topology display immensely useful because it can identify devices you may have forgotten about, or are obviously not performing any productive function. For example, a device may be physically connected in the network, but misconfigured to not support any real traffic flows. Since all possible routes into and from each device are analyzed and displayed, it becomes immediately apparent where links are up, down, or have no potential traffic flows. But it gets much better when you can create sophisticated queries into the network model.
From search to verification
Forward Search is one of the three key functional pillars of Forward Enterprise, along with Verify and Predict. But each of the three capabilities allow you to develop extremely interesting behavioral queries about the intent and performance of the network. A simple search query could be structured such as "show all the inbound internet traffic paths reaching a rack of servers, or a particularly virtual switch, that don't use destination port 443". This might show vulnerabilities on non-SSL ports that your network might be allowing through. If that's possible, it's easy to trace flows through each device in the path that are misconfigured and how to remediate. Virtually any network attribute, protocol or device state can be queried to quickly isolate inconsistencies or violations of your network intent.
When you define your network intent as a series of network policy requirements, each requirement becomes essentially a search query and a check is performed. Again, any deviations from the pre-defined network intent are quickly identified and isolated. Forward Enterprise comes with several pre-defined policy checks, as shown below, including checking for forwarding loops, IP address uniqueness, consistency across all links for VLANs, MTU, speed, duplex-type, etc.
Forward also allows you to define your own policy requirements for your own network intent very easily. User-defined checks provide the ultimate flexibility to incorporate specifics of your network design and application requirements. In the example scenario below, we see the failure of the user-defined check for only SSL traffic being allowed to reach a set of web servers.
Whenever one of your intents fail, it’s not only easy to quickly drill down to the explicit scenario that violated the policy, but to analyze the individual device(s) that are misconfigured and to see the specific device configurations and states that generated the policy violations. As you make network changes and update potential errors, you can also immediately see on the dashboard if any new violations have been introduced and what overall impact any changes will have.
Forward Networks has introduced a powerful new weapon to be able to mathematically model and analyze the network in aggregate. Against live scenarios, as well as ones that are coming in the future. The ones you don’t know about. The ones you didn’t plan for. The ones you couldn’t test. That's the power of network verification. And understanding your network intent today is the first step towards intent-based networking.
Forward Enterprise can help reveal your network intent today, on any existing network, and to identify where configuration errors could be causing your problems now or in the future. It's non-intrusive, installs in minutes, and doesn't disrupt current operations. For a live demo and to see how it could model and analyze your network environment, sign up here.
Learn the modern way that companies stay off the front page
Experience a demo of the Forward Platform