April 26, 2018

Automate Policy Verification to Accelerate NetOps and Change Windows

by Charlie Elliott

In agile network operations, network configurations need to be updated to reflect new application or policy requirements, or to implement a change in network behavior. As business and application requirements change, we have to translate new policies into specific network configuration changes in one or more devices.

In Figure 1, we describe the workflow of rolling out a network update. From the current operational state of the network, we have to respond to a new intent or policy requirement with proposed configuration changes. The development of the change candidate by network engineers is reviewed by various teams and architects, including security. These design reviews can be tedious and manual, and may highlight additional changes or corrections to minimize the impact on existing infrastructure.

Once the candidate change has been approved, it moves into the network lab for testing. But this step can usually only provide cursory testing because the lab network is not running at the scale of the production network, nor can the proposed change be evaluated under all scenarios and conditions that will actually arise over time. In order to improve network agility, testing has to be short and efficient, but this also increases risk and potential for issues post-deployment. After the proposed update has completed the test scenarios, it is pushed to a configuration repository and scheduled for deployment.

NetOps workflow

Figure 1 – Overview of a network change process, including candidate change development, testing and deployment.

Accelerating Change Windows and NetOps with Forward Networks

How can we accelerate the above workflow to increase network agility and reliability, and better align network teams with DevOps processes? Forward Networks has developed the industry-leading solution for analyzing network behavior and verifying configurations in a software model of the network. This allows for rapid evaluation and verification of proposed changes outside the live network, and can automate many of the lengthy review and testing processes.

Automating the Verification Process

Network verification provides assurance that proposed changes accurately implement all of the defined network policies. Rather than looking at live traffic and reporting on current activity, verification proactively analyzes the network configuration files to build a behaviorally accurate software model, and then identifies scenarios under which the current implementation could fail to meet policy objectives. In Figure 2, we see how various features of the Forward Enterprise solution, our flagship product, can automate and improve our earlier workflow.

NetOps workflow with Forward Networks

Figure 2 – Leveraging Forward Networks in a network change process workflow can accelerate deployment time with greater confidence that risk and potential configuration errors have been eliminated.

For example, the initial change of policy or intent can be defined in Forward Enterprise as a policy rule or check. That policy rule would be verified against future network implementations and any configurations that would violate that rule would be immediately flagged (as in Figure 4). The new intent rule would be added to the overall rule repository and verified along with all other rules as part of the pre- and post-change verification.

Network Analysis with Forward Search and API queries

Forward Enterprise is a large database of network configurations, state and behavior information from a series of individual snapshots in time. The software model of networking behavior simulates traffic behavior accurately and predicts which vulnerabilities or scenarios will cause policy violations. Like any database, the Forward Platform can be queried, with the behavior and policy results being displayed in an intuitive and interactive network map (see “API access” block in Figure 2 and Figure 3 below).

Forward Enterprise Use Cases screen shot

Figure 3 – Queries or Searches in Forward Enterprise are expressed as network policies. Results show all viable or possible paths that support the policy. Each path and hop along the path can be explored to better understand impact of potential changes or current policy implementations.

Similarly, candidate changes can be quickly peer reviewed automatically in Forward Enterprise (see “Acceptance Test” block in Figure 2). After an initial policy query, it becomes clear how network traffic paths will be affected by the new change (as shown in Figure 3). With the automated and more detailed review available from Forward Networks, networking teams can proceed towards deployment with greater confidence and less manually-intensive test scenarios.

Forward Enterprise Verify after

Figure 4 – Forward Enterprise quickly highlights which policy rules are violated in the current network design or in a proposed change candidate. This information, the result of a Forward Verify query, is available through a REST API for visibility in other applications or by external teams. New queries, potentially driven by new application requirements or policies, can also be easily built using the Forward Search interface to verify if a particularly policy is supported or what would need to be changed to support it.

Summary

In recent years, there has been a great deal of focus on network automation in order to increase IT agility and to better align network operations (NetOps) with accelerated DevOps processes. That focus has been mainly on accelerating network deployments and automating virtual network configurations to support new application requirements.

Forward Networks has now delivered a new platform that focuses on the automation of network design verification, network analysis and change processes. Network verification, a new methodology to analyze network designs and configuration changes, can both provide greater confidence by reducing network risk and preventing outages, as well as accelerating once-manual design, review and testing processes that slowed network agility and resulted in lengthy change windows.

Subscribe to our blog!

RELATED FORWARD CONTENT 
February 6, 2023
Visit Stand E08 at Cisco Live EMEA

Let the Games Begin! Cisco Live Amsterdam has officially started, and we’re delighted to be here meeting with the best and brightest of the European networking community. Stop by to say hello, and play Forward Quest to learn how easy it is to put your people back in charge of the network and register to […]

Read More
January 25, 2023
MSD Partners Leads Forward Networks $50M Series D Funding

Following 139% year-over-year growth, Forward Networks closed $50M in series D funding. The round was led by MSD Partners with support from new investors, Section 32, and Omega Venture Partners. Demonstrating ongoing support, existing investors Goldman Sachs Asset Management (Goldman Sachs), Threshold Ventures, A. Capital, and Andreessen Horowitz participated in the round. Since its last […]

Read More
January 18, 2023
Forward Networks to Host Cloud Field Day 16

I don’t know which is more exciting: the fact that there’s no rain forecast for the next two weeks or that we’re hosting Cloud Field Day 16 at the Forward Networks headquarters in Santa Clara, CA. It’s a nice dose of synchronicity that we get a break in the rain to dry out and clean […]

Read More
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram