In [1]:
import os
from pybatfish.client.session import Session
import pandas as pd
import yaml
from os.path import abspath, dirname, join, pardir, realpath
from netaddr import *
from deepdiff import DeepDiff
from pprint import pprint

%run ../code/bgp_route_helpers
%run ../code/gen_external_bgp_adverts

#pandas display options
pd.set_option("display.width", 300)
pd.set_option("display.max_columns", 20)
pd.set_option("display.max_rows", 1000)
pd.set_option("display.max_colwidth", -1)

#snapshot directory and path setup
_this_dir = os.getcwd()
_root_dir = abspath(join(_this_dir, pardir))

In [2]:
# create BF session and initialize snapshot
try:
    bf = Session.get('bfe') #Batfish Enterprise
except:
    bf = Session.get('bf') #Batfish Open-source

# Demo Network
<style>
    .image {
        display: block; 
        margin-left: 20px; 
        margin-right: 20px; 
        width:50%; 
    }
</style>
<img src="./nanog-demo3-network.png" class="image">

In [3]:
NETWORK = "Nanog-demo2"
BASE_SNAPSHOT_DIR = f"{_root_dir}/snapshots/demo2/base"
BASE_SNAPSHOT_NAME = "base"

bf.set_network(NETWORK)
bf.init_snapshot(BASE_SNAPSHOT_DIR, name=BASE_SNAPSHOT_NAME, overwrite=True)

'base'

### ISP01 wants to advertise prefixes under 14.1.0.0/16 with a prefix length of /24 or longer for loadbalancing purposes

In [4]:
# retrieve the BGP routes advertised from external peers (BGP-Adj-RIB-In)
base_bgp_announce = get_snapshot_bgp_announcements(BASE_SNAPSHOT_DIR)['Announcements']
show_bgp_long_pfx_announcements(base_bgp_announce, "14.1.0.0/16")

14.1.128.0/26 advertised to pe3:11.1.2.0 by isp01-nyc:11.1.2.1
14.1.128.64/26 advertised to pe3:11.1.2.0 by isp01-nyc:11.1.2.1
14.1.129.0/25 advertised to pe3:11.1.2.0 by isp01-nyc:11.1.2.1
14.1.12.0/26 advertised to pe1:11.1.1.0 by isp01-den:11.1.1.1
14.1.12.64/26 advertised to pe1:11.1.1.0 by isp01-den:11.1.1.1
14.1.13.0/27 advertised to pe1:11.1.1.0 by isp01-den:11.1.1.1
14.1.13.32/27 advertised to pe1:11.1.1.0 by isp01-den:11.1.1.1
14.1.13.64/27 advertised to pe1:11.1.1.0 by isp01-den:11.1.1.1
14.1.13.96/27 advertised to pe1:11.1.1.0 by isp01-den:11.1.1.1


In [5]:
check_routes_for_subnets(bf, "14.1.0.0/16")

Unnamed: 0,Node,VRF,Network,Next_Hop,Next_Hop_IP,Next_Hop_Interface,Protocol,Metric,Admin_Distance,Tag


**We have confirmed that our routing policy is blocking the prefixes that are > /24 in length from isp01.**


**We want to allow such prefixes from isp01 for loadbalancing purposes so let's change our configuration and see if that does the trick.**

### Change the input routing policy towards ***isp01*** across all PE devices

In [6]:
# snapshot with new route policy to accomodate peer loadbalancing request
TEST1_SNAPSHOT_DIR = f"{_root_dir}/snapshots/demo2/test1"
TEST1_SNAPSHOT_NAME = "test1"

t = bf.fork_snapshot(BASE_SNAPSHOT_NAME, name=TEST1_SNAPSHOT_NAME, add_files=TEST1_SNAPSHOT_DIR, overwrite=True)

In [7]:
stream = os.popen(f"icdiff -r --cols=160 {BASE_SNAPSHOT_DIR} {TEST1_SNAPSHOT_DIR} -U 2")
print(stream.read())

[0;35mOnly in /Users/samir/git/nanog78/snapshots/demo2/base/configs: cust01.cfg[m
[0;35mOnly in /Users/samir/git/nanog78/snapshots/demo2/base/configs: cust02.cfg[m
[0;35mOnly in /Users/samir/git/nanog78/snapshots/demo2/base/configs: isp01-den.cfg[m
[0;35mOnly in /Users/samir/git/nanog78/snapshots/demo2/base/configs: isp01-nyc.cfg[m
[0;35mOnly in /Users/samir/git/nanog78/snapshots/demo2/base/configs: isp02-chi.cfg[m
[0;34m/Users/samir/git/nanog78/snapshots/demo2/base/configs/pe1.cfg[m                   [0;34m/Users/samir/git/nanog78/snapshots/demo2/test1/configs/pe1.cfg[m                 
ip prefix-list ISP1001-IN seq 5 permit 0.0.0.0/0 le 23                          ip prefix-list ISP1001-IN seq 5 permit 0.0.0.0/0 le 23                         
!                                                                               !                                                                              
                                                                       

**Let's see if the target routes are accepted by pe1 and pe3**

In [8]:
check_routes_for_subnets(bf, "14.1.0.0/16", 'pe1,pe3').head(5)

Unnamed: 0,Node,VRF,Network,Next_Hop,Next_Hop_IP,Next_Hop_Interface,Protocol,Metric,Admin_Distance,Tag
6,pe3,default,14.1.12.64/26,isp01-den,11.1.1.1,dynamic,ibgp,8,170,
55,pe1,default,14.1.12.0/26,isp01-den,11.1.1.1,dynamic,bgp,2,20,
57,pe3,default,14.1.13.0/27,isp01-den,11.1.1.1,dynamic,ibgp,6,170,
58,pe1,default,14.1.13.64/27,isp01-den,11.1.1.1,dynamic,bgp,17,20,
63,pe1,default,14.1.129.0/25,isp01-nyc,11.1.2.1,dynamic,ibgp,49,200,


**We can also check the difference in the routing tables between the TEST1 and BASE snapshots**

In [9]:
rtd = bf.q.routes().answer(snapshot=TEST1_SNAPSHOT_NAME, reference_snapshot=BASE_SNAPSHOT_NAME).frame()
get_accepted(rtd, "14.1.0.0/16").head(5)

Unnamed: 0,Node,Network,Entry_Presence,Snapshot_Next_Hop,Reference_Next_Hop
5,pe1,14.1.13.32/27,Only in Snapshot,isp01-den,
29,pe1,14.1.12.64/26,Only in Snapshot,isp01-den,
33,pe1,14.1.128.0/26,Only in Snapshot,isp01-nyc,
37,pe1,14.1.13.64/27,Only in Snapshot,isp01-den,
39,pe1,14.1.12.0/26,Only in Snapshot,isp01-den,


**Let's check if any of the prefixes are leaked**

In [10]:
get_leaked(rtd, "14.1.0.0/16").head(5)

Unnamed: 0,Node,Network,Entry_Presence,Snapshot_Next_Hop,Reference_Next_Hop
3,cust01,14.1.12.0/26,Only in Snapshot,pe1,
4,cust01,14.1.129.0/25,Only in Snapshot,pe1,
8,cust01,14.1.12.64/26,Only in Snapshot,pe1,
13,cust01,14.1.13.96/27,Only in Snapshot,pe1,
21,cust01,14.1.128.64/26,Only in Snapshot,pe1,


**The change correctly allows those prefixes into our network, but is not preventing them from being passed to other peers.**


### Let's analyze the BGP routing policy difference on pe1 between snapshot test1 and base to gain some insight

In [11]:
node = 'pe1'
direction = 'in'
peer = '11.1.1.1'

ref_snapshot = 'base'
cur_snapshot = 'test1'

rt = convert_ext_bgp_to_bgp_route(bf, node, peer, base_bgp_announce)

In [12]:
df = compare_bgp_peer_policies(bf, node, peer, ref_snapshot, cur_snapshot, direction, rt)

**Display routes that were previously permitted, but are now denied**

In [13]:
find_newly_denied_routes(df)

Unnamed: 0,Route,Old Action,Old Transformation,New Action,New Transformation


**Display routes that were previously denied, but are now permitted**

In [14]:
find_newly_permitted_routes(df)

Unnamed: 0,Route,Old Action,Old Transformation,New Action,New Transformation
0,14.1.12.0/26,DENY,,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]"
1,14.1.12.64/26,DENY,,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]"
2,14.1.13.0/27,DENY,,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]"
3,14.1.13.32/27,DENY,,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]"
4,14.1.13.64/27,DENY,,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]"
5,14.1.13.96/27,DENY,,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]"


**Display routes that were previously permitted, but have a change in BGP attributes (communities, local-pref, ASPATH, etc...)**

In [15]:
find_routes_with_attrib_change(df)

Unnamed: 0,Route,Old Action,Old Transformation,New Action,New Transformation


### Let's fix the input routing policies towards ***ISP01*** on ***pe1*** and ***pe3*** to prevent the >/24 prefixes from leaving our network

In [16]:
# snapshot with new route policy to accomodate peer loadbalancing request
TEST2_SNAPSHOT_DIR = f"{_root_dir}/snapshots/demo2/test2"
TEST2_SNAPSHOT_NAME = "test2"

t = bf.fork_snapshot(TEST1_SNAPSHOT_NAME, name=TEST2_SNAPSHOT_NAME, add_files=TEST2_SNAPSHOT_DIR, overwrite=True)

In [17]:
stream = os.popen(f"icdiff -r --cols=160 {TEST1_SNAPSHOT_DIR} {TEST2_SNAPSHOT_DIR} -U 2")
print(stream.read())

[0;34m/Users/samir/git/nanog78/snapshots/demo2/test1/configs/pe1.cfg[m                  [0;34m/Users/samir/git/nanog78/snapshots/demo2/test2/configs/pe1.cfg[m                 
route-map ISP1001-IN permit 20                                                  route-map ISP1001-IN permit 20                                                 
 match ip address prefix-list ISP1001-IN24                                       match ip address prefix-list ISP1001-IN24                                     
 set community 1001:1                                                            set community 1001:1[1;32m no-export[m                                                
!                                                                               !                                                                              
route-map ISP1001-IN permit 30                                                  route-map ISP1001-IN permit 30                                                 
[0;34m/Us

### Let's see if any routes are still being leaked outside of our AS

In [18]:
rtd = bf.q.routes().answer(snapshot=TEST2_SNAPSHOT_NAME, reference_snapshot=TEST1_SNAPSHOT_NAME).frame()
get_leaked(rtd, "14.1.0.0/16").head(5)

Unnamed: 0,Node,Network,Entry_Presence,Snapshot_Next_Hop,Reference_Next_Hop
2,cust01,14.1.13.96/27,Only in Reference,,pe1
6,cust01,14.1.12.64/26,Only in Reference,,pe1
7,cust01,14.1.13.32/27,Only in Reference,,pe1
9,cust01,14.1.13.0/27,Only in Reference,,pe1
13,cust01,14.1.128.0/26,Only in Reference,,pe1


**The prefixes with length >/24 are only present in *test2*, as denoted by *Only in Reference* in the *Entry_Presence* column, so the change is preventing the route-leak**

### Let's look at the BGP routing policy difference to make sure we still accept these routes for propogation within our AS

**Let's analyze the BGP routing policy difference on pe1 between snapshot test2 and test3**

In [19]:
ref_snapshot = 'test1'
cur_snapshot = 'test2'

rt = convert_ext_bgp_to_bgp_route(bf, node, peer, base_bgp_announce)
df = compare_bgp_peer_policies(bf, node, peer, ref_snapshot, cur_snapshot, direction, rt)

**Display routes that were previously permitted, but are now denied**

In [20]:
find_newly_denied_routes(df)

Unnamed: 0,Route,Old Action,Old Transformation,New Action,New Transformation


**Display routes that were previously denied, but are now permitted**

In [21]:
find_newly_permitted_routes(df)

Unnamed: 0,Route,Old Action,Old Transformation,New Action,New Transformation


**Display routes that were previously permitted, but have a change in BGP attributes (communities, local-pref, ASPATH, etc...)**

In [22]:
find_routes_with_attrib_change(df)

Unnamed: 0,Route,Old Action,Old Transformation,New Action,New Transformation
0,14.1.12.0/26,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]",PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1, 65535:65281]'}]"
1,14.1.12.64/26,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]",PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1, 65535:65281]'}]"
2,14.1.13.0/27,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]",PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1, 65535:65281]'}]"
3,14.1.13.32/27,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]",PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1, 65535:65281]'}]"
4,14.1.13.64/27,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]",PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1, 65535:65281]'}]"
5,14.1.13.96/27,PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1]'}]",PERMIT,"[{'fieldName': 'communities', 'oldValue': '[1001:60001]', 'newValue': '[1001:1, 65535:65281]'}]"


#### The new routing policy adds the ***no-export (65535:65281)*** community to the prefixes that are >/24, preventing them from leaving the AS

# END