Skip to main content

Introduction

Invariant is a system that validates your network according to user-provided rules in a highly scalable digital twin environment.

Invariant does not require access to your network of routers and switches but relies on their configuration files. This approach allows Invariant to catch subtle failures in a secure, ephemeral environment long before you deploy them.

The Invariant rule language is very powerful and easy to use. Invariant critical flow rules assert that no cases exist where critical traffic could be dropped. Invariant deny rules restrict what traffic should be permitted for sensitive subnets or define traffic flows that should never be allowed in the network.


Invariant is a vendor-agnostic network management tool which helps teams:

  • Make safe and correct network changes.
  • Visualize current, past, and proposed network states.
  • Prevent, detect, and respond to incidents.
  • Verify that a network is in continuous compliance with approved policy.
  • Plan network build-outs.
  • Onboard, migrate, and audit existing networks.

Invariant can check whether access policy rules written by you and your team pass or fail for your current or planned network. The access policy rules are very powerful, allowing you to assert:

  • Critical traffic that should never be blocked.
  • Traffic that should always be blocked.
  • Describe the only traffic permitted for a subnet, host, or VLAN.

Invariant can detect problems introduced from a wide range of network elements, including BGP, OSPF, and ACLs.

Invariant works by loading network config files (the files produced by RANCiD, oxidized, SHOW RUNNING CONFIG) and rapidly constructing an efficient and accurate model of your entire network.