In agile network operations, network configurations need to be updated to reflect new application or policy requirements, or to implement a change in network behavior. As business and application requirements change, we have to translate new policies into specific network configuration changes in one or more devices.
In Figure 1, we describe the workflow of rolling out a network update. From the current operational state of the network, we have to respond to a new intent or policy requirement with proposed configuration changes. The development of the change candidate by network engineers is reviewed by various teams and architects, including security. These design reviews can be tedious and manual, and may highlight additional changes or corrections to minimize the impact on existing infrastructure.
Once the candidate change has been approved, it moves into the network lab for testing. But this step can usually only provide cursory testing because the lab network is not running at the scale of the production network, nor can the proposed change be evaluated under all scenarios and conditions that will actually arise over time. In order to improve network agility, testing has to be short and efficient, but this also increases risk and potential for issues post-deployment. After the proposed update has completed the test scenarios, it is pushed to a configuration repository and scheduled for deployment.
Figure 1 – Overview of a network change process, including candidate change development, testing and deployment.
Accelerating Change Windows and NetOps with Forward Networks
How can we accelerate the above workflow to increase network agility and reliability, and better align network teams with DevOps processes? Forward Networks has developed the industry-leading solution for analyzing network behavior and verifying configurations in a software model of the network. This allows for rapid evaluation and verification of proposed changes outside the live network, and can automate many of the lengthy review and testing processes.
Automating the Verification Process
Network verification provides assurance that proposed changes accurately implement all of the defined network policies. Rather than looking at live traffic and reporting on current activity, verification proactively analyzes the network configuration files to build a behaviorally accurate software model, and then identifies scenarios under which the current implementation could fail to meet policy objectives. In Figure 2, we see how various features of the Forward Enterprise solution, our flagship product, can automate and improve our earlier workflow.
Figure 2 – Leveraging Forward Networks in a network change process workflow can accelerate deployment time with greater confidence that risk and potential configuration errors have been eliminated.
For example, the initial change of policy or intent can be defined in Forward Enterprise as a policy rule or check. That policy rule would be verified against future network implementations and any configurations that would violate that rule would be immediately flagged (as in Figure 4). The new intent rule would be added to the overall rule repository and verified along with all other rules as part of the pre- and post-change verification.
Network Analysis with Forward Search and API queries
Forward Enterprise is a large database of network configurations, state and behavior information from a series of individual snapshots in time. The software model of networking behavior simulates traffic behavior accurately and predicts which vulnerabilities or scenarios will cause policy violations. Like any database, the Forward Platform can be queried, with the behavior and policy results being displayed in an intuitive and interactive network map (see “API access” block in Figure 2 and Figure 3 below).
Figure 3 – Queries or Searches in Forward Enterprise are expressed as network policies. Results show all viable or possible paths that support the policy. Each path and hop along the path can be explored to better understand impact of potential changes or current policy implementations.
Similarly, candidate changes can be quickly peer reviewed automatically in Forward Enterprise (see “Acceptance Test” block in Figure 2). After an initial policy query, it becomes clear how network traffic paths will be affected by the new change (as shown in Figure 3). With the automated and more detailed review available from Forward Networks, networking teams can proceed towards deployment with greater confidence and less manually-intensive test scenarios.
Figure 4 – Forward Enterprise quickly highlights which policy rules are violated in the current network design or in a proposed change candidate. This information, the result of a Forward Verify query, is available through a REST API for visibility in other applications or by external teams. New queries, potentially driven by new application requirements or policies, can also be easily built using the Forward Search interface to verify if a particularly policy is supported or what would need to be changed to support it.
Summary
In recent years, there has been a great deal of focus on network automation in order to increase IT agility and to better align network operations (NetOps) with accelerated DevOps processes. That focus has been mainly on accelerating network deployments and automating virtual network configurations to support new application requirements.
Forward Networks has now delivered a new platform that focuses on the automation of network design verification, network analysis and change processes. Network verification, a new methodology to analyze network designs and configuration changes, can both provide greater confidence by reducing network risk and preventing outages, as well as accelerating once-manual design, review and testing processes that slowed network agility and resulted in lengthy change windows.
