Can You Handle the Truth?
A lively debate sparked up after Networking Field Day 23, where we presented IP Fabric to a panel of delegates and hundreds of eager online viewers. Could we class our solution as a “Source of Truth” for the network? The conclusion was “Yes”. And “No”. So why the confusion and what did the question actually mean? I thought I’d try and get to the bottom of it …!
What is “Source of Truth”?
Network automation has come a long way. Once, that meant CLI scripts that you created by “mail merge”, then rolled into your network over a telnet session. Now we have sophisticated automation platforms which take desired state and through configuration templates, functions, modules and APIs, can push that state into network devices (and if you’re really lucky, roll them back again if they didn’t complete.) But where does that desired state come from? You need to decide and record which features and parameters you want to enable and push out to which devices …
And so you create a database – a bunch of spreadsheets, SQL, DCIM (Data Center Infrastructure Manager) or IPAM (IP Address Management) system – containing those feature definitions and parameters. And your templates are rendered using the data from that system into intended config state. This is typically referred to as the “Source of Truth”, SoT (or sometimes “Single Source of Truth”, SSoT).
The idea is that there is only one place to store that data – the ultimate reference source of desired configuration. Update that and the implied intention is that the network config is required to be changed. Typically that information would be version controlled and tracked, often using git or a similar VCS (version control system).
When is the SoT not an SSoT?
… when it doesn’t hold all the information in one place! A Single Source of Truth can simply be a placeholder or proxy for the collection of reference sources for individual pieces of the network data puzzle.
You may use an IPAM system to record the definitive IP addressing schema that you want to use. You may use a CMDB to track your network device inventory details. These would be referred to as Systems of Record. Ultimately your network automation needs to access information from both of these sources in order to render configurations. So an SSoT would zip that information together as required.
So is IP Fabric an SoT? Or an SSoT?
Within the accepted conventional definition, not really. As the inventory, configuration and state data in IP Fabric is harvested from network devices, it doesn’t represent intended state. It isn’t able to be changed or updated manually. IP Fabric builds a vendor-neutral snapshots of the state of the network as a whole. It reflects – in great detail – the state of the network as it is operating at a point in time. It is queried through Web UI or API , visually or in tabulated data. As such, it doesn’t store intended state, but actual state.
But that’s not the complete story. Because along with the data from the network, we can build a series of intent verification checks. We use filters and classifications on that data to verify that active network complies with an intended state. For a simple example, we can ensure that all network devices are configured to a specific set of management parameters. We verify that NTP, SNMP and syslog match a set of criteria at every snapshot, and present a compliance report.
The 100+ embedded verification checks that ship with the platofrm range from the simple (eg checking where VLAN 1 is in use) to the complex (eg ensuring Spanning Tree root and FHRP active gateways align) and everything in between (eg checking MTU sizes at either end of a link match).
Whilst there is a mechanism to store intent in IP Fabric, it isn’t used to render the intent as configuration. Verification checks are run against every snapshot and provide us with a way of validating intent on an ongoing basis.
So “Kind Of”?
We also carry out simulated end-to-end path checks at each snapshot. This allows us to validate that paths are as you expect them, and firewall rules allow connections only as intended.
All of these intent verification checks are built both through either Web UI, or IP Fabric’s extensive REST API. This provides us with the ability to update the intent verifications in IP Fabric while you render the configurations from the intended state data, thus confirming at each snapshot that the state is matching the original intent from the SoT.
IP Fabric’s new webhooks feature which allows us to notify an external platform when verification checks are completed. This can be used to provide a feedback mechanism for when actual state has drifted from intended state.
A Dedicated SSoT is Optimal
In IP Fabric we compare the intent with the network state that is discovered at the time of the snapshot. If for some operational reason, a part of the network is down, or if a partial snapshot is run to validate a change in a particular area of the network, then we only have partial data. And that is not useful for expressing intent across the whole network.
It is more optimal to use IP Fabric in tandem with a dedicated SoT like the open-source project Netbox. IP Fabric would then be used to cross-validate that the data in the SoT is correct and up to date. This effectively treats IP Fabric as a System of Record for active network state. An automation platform like Ansible might then be used to render configurations.
Using the API, IP Fabric intent verification rules can be built from the data defined in the SoT to confirm that the network configuration and behaviours matches the intent expressed in the templates. If state doesn’t match intent, webhooks can be used to notify the orchestration/automation platform that adjustments need to be made. So not only would we automate the network device configuration from the SoT but also IP Fabric configuration!
Based on current accepted definitions, IP Fabric would not be considered a “Single Source of Truth” for intended state. It would be more accurately considered a System of Record for existing network state. It would be used in conjunction with a SSoT to measure compliance with intent. And if required, it would then trigger activity to rectify any drift.
Look out for the next article, where we’ll consider Intent-Based Networking in a little more detail!
If you have found this article helpful, please follow our company’s LinkedIn or Blog, where more content will be emerging. If you would like to test our solution to see for yourself how IP Fabric can help you manage your network more effectively, please contact us through www.ipfabric.io.