Fixing Your Snapshot
When you upload your snapshot for the first time, it is good to check a few reports to ensure the model is correct.
- Review
unconnected_nodesfor nodes that are not connected. - If your network needs internet connectivity, review
probes. - Review
file_parse_statusfor correct platform identification of each configuration file. - Review
ignored_linesandparse_warningsfor issues that may affect the models.
Unconnected nodes
This report should remain empty. The codelab will have no unconnected nodes. If a change to your network causes unconnected nodes to appear, that could be a sign that a misconfiguration was introduced.
Checking internet connectivity
By default, Invariant will test connectivity from each node to a list of pre-selected public IP addresses and place the results in the probes report.
invariant show probes
+----+------------+-----------+---------------+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| | target | type | comment | ignore_filters | node_outcomes |
|----+------------+-----------+---------------+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | 1.1.1.1/32 | ICMP_ECHO | Default probe | True | {'asa': 'never', 'border-1': 'never', 'core-1': 'never', 'core-2': 'never', 'dc-1': 'never', 'dist-1': 'never', 'dist-2': 'never', 'dmzfw-1': 'never', 'dmzsw-1': 'never'} |
| 1 | 4.2.2.2/32 | ICMP_ECHO | Default probe | True | {'asa': 'never', 'border-1': 'never', 'core-1': 'never', 'core-2': 'never', 'dc-1': 'never', 'dist-1': 'never', 'dist-2': 'never', 'dmzfw-1': 'never', 'dmzsw-1': 'never'} |
| 2 | 8.8.8.8/32 | ICMP_ECHO | Default probe | True | {'asa': 'never', 'border-1': 'never', 'core-1': 'never', 'core-2': 'never', 'dc-1': 'never', 'dist-1': 'never', 'dist-2': 'never', 'dmzfw-1': 'never', 'dmzsw-1': 'never'} |
+----+------------+-----------+---------------+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Set --json to get JSON
See 'show --help' for more options
The border-1 device has no route to the internet, so the report shows that all devices have no connectivity to the public IP addresses.
This network expects a default route to be provided by its ISP through BGP. You will need to configure a placeholder ISP and connect it to the border-1 router.
You could continue using Invariant with the network as-is, however it will not be possible to create accurate rules that govern internet-facing egress without a default route.
Configure the ISP settings in a dedicated file at batfish/isp_config.yaml. In the borderInterfaces section, specify the interfaces used for ISP peering. In the ispNodeInfo section, define details about the placeholder ISPs, including their type and ASN number. The two supported types are TRANSIT and PRIVATE_BACKBONE. The TRANSIT type will model a transit network connecting to the public internet.
cat >> ./batfish/isp_config.json << EOF
{
"borderInterfaces": [
{
"borderInterface": {
"hostname": "border-1",
"interface": "GigabitEthernet0/1"
}
},
{
"borderInterface": {
"hostname": "border-1",
"interface": "GigabitEthernet0/3"
}
}
],
"ispNodeInfo": [
{
"asn": 64501,
"name": "ISP1",
"role": "TRANSIT"
},
{
"asn": 64502,
"name": "ISP2",
"role": "TRANSIT"
}
]
}
EOF
Invoking invariant run again will result in always for each host. Problem resolved!
invariant show probes
+----+------------+-----------+---------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| | target | type | comment | ignore_filters | node_outcomes |
|----+------------+-----------+---------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | 1.1.1.1/32 | ICMP_ECHO | Default probe | True | {'asa': 'always', 'border-1': 'always', 'core-1': 'always', 'core-2': 'always', 'dc-1': 'always', 'dist-1': 'always', 'dist-2': 'always', 'dmzfw-1': 'always', 'dmzsw-1': 'always', 'internet': 'always', 'isp_64501': 'always', 'isp_64502': 'always'} |
| 1 | 4.2.2.2/32 | ICMP_ECHO | Default probe | True | {'asa': 'always', 'border-1': 'always', 'core-1': 'always', 'core-2': 'always', 'dc-1': 'always', 'dist-1': 'always', 'dist-2': 'always', 'dmzfw-1': 'always', 'dmzsw-1': 'always', 'internet': 'always', 'isp_64501': 'always', 'isp_64502': 'always'} |
| 2 | 8.8.8.8/32 | ICMP_ECHO | Default probe | True | {'asa': 'always', 'border-1': 'always', 'core-1': 'always', 'core-2': 'always', 'dc-1': 'always', 'dist-1': 'always', 'dist-2': 'always', 'dmzfw-1': 'always', 'dmzsw-1': 'always', 'internet': 'always', 'isp_64501': 'always', 'isp_64502': 'always'} |
+----+------------+-----------+---------------+------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Set --json to get JSON
See 'show --help' for more options
File parse status
When you upload a snapshot, Invariant will parse each file. The file_parse_status report shows the status of each device configuration, including the nodes created and the file format determined.
Invoking invariant show file_parse_status will show that some files were partially unrecognized.
$ invariant show file_parse_status
+----+----------------------+------------------------+---------------+------------+
| | File_Name | Status | File_Format | Nodes |
|----+----------------------+------------------------+-------------+--------------|
| 0 | configs/asa.cfg | PARTIALLY_UNRECOGNIZED | CISCO_ASA | ['asa'] |
| 1 | configs/border-1.cfg | PARTIALLY_UNRECOGNIZED | CISCO_IOS | ['border-1'] |
| 2 | configs/core-1.cfg | PASSED | CISCO_IOS | ['core-1'] |
| 3 | configs/core-2.cfg | PASSED | CISCO_IOS | ['core-2'] |
| 4 | configs/dc-1.cfg | PASSED | CISCO_IOS | ['dc-1'] |
| 5 | configs/dist-1.cfg | PARTIALLY_UNRECOGNIZED | ARISTA | ['dist-1'] |
| 6 | configs/dist-2.cfg | PARTIALLY_UNRECOGNIZED | ARISTA | ['dist-2'] |
| 7 | configs/dmzfw-1.cfg | PARTIALLY_UNRECOGNIZED | CISCO_ASA | ['dmzfw-1'] |
| 8 | configs/dmzsw-1.cfg | PARTIALLY_UNRECOGNIZED | CISCO_IOS | ['dmzsw-1'] |
+----+----------------------+------------------------+-------------+------------+
Set --json to get JSON
See 'show --help' for more options
PARTIALLY_UNRECOGNIZED means the parser could not recognize each line in the configuration file. PARTIALLY_UNRECOGNIZED is not always bad; many lines in a configuration have nothing to do with the routing of packets, for example.
- Time zone configuration.
- IP of log sink.
- Exit or clear commands.
Fixing the EXTERNAL location error
Location not found.
For location 'EXTERNAL': Undefined location: 'EXTERNAL'.
Define the special 'EXTERNAL' location to resolve this error. This should correspond to the external boundary for your network.
The external boundary in the codelab network is on border-1 with interfaces GigabitEthernet0/1 and GigabitEthernet0/3, which connect to the ISP. Use the following command to create the necessary file.
cat >> ./invariant/locations/location.yaml << EOF
locations:
EXTERNAL:
- devices: border-1
interfaces: GigabitEthernet0/1
- devices: border-1
interfaces: GigabitEthernet0/3
EOF
The error should be resolved when you next issue the invariant run command.