App Overview¶
This document provides an overview of the App including critical information and important considerations when applying it to your Nautobot environment.
What Does This App Do?¶
The Operational Compliance app for Nautobot helps network teams answer one critical question after making changes: "Did anything break?"
It works by collecting the operational state of your network devices before a change, collecting it again after the change, and then comparing the two to show you exactly what changed. If nothing changed that shouldn't have, it passes. If something unexpected changed, it fails and shows you the diff.
How It Works — The Three Phases¶
The app follows a straightforward three-phase workflow:
flowchart LR
A["<b>1. Setup</b><br/>Define what to check"] --> B["<b>2. Collect</b><br/>Take snapshots of<br/>device state"] --> C["<b>3. Compare</b><br/>Diff the snapshots<br/>and view results"]Phase 1: Setup¶
You tell the app what to check and how to collect the data. This involves creating three things, in this order:
-
Validation Rules — Defines what you want to validate and how to compare the results. For example: "Check that all BGP neighbors are still up" using an exact match comparison. Think of this as the test definition.
-
Command Parsers — Defines how to collect the data for a specific rule on a specific platform. For example: "On Cisco IOS devices, run
show ip bgp summary, parse it with TextFSM, and extract the neighbor addresses and states." You need one Command Parser per platform per rule. -
Validation Rule Groups (optional) — Bundles multiple Validation Rules together so you can run them all at once. For example: "Pre-Upgrade Checks" might include rules for BGP, NTP, and interface status. This is a convenience for running related checks together.
Here's how these objects nest together:
flowchart TD
subgraph VRG["<b>Validation Rule Group</b> — 'Pre-Upgrade Checks'"]
subgraph VR1["<b>Validation Rule</b> — 'BGP Neighbors' (EXACT_MATCH)"]
CP1["<b>Command Parser</b><br/>Cisco IOS: show ip bgp summary (TEXTFSM)"]
CP2["<b>Command Parser</b><br/>Arista EOS: show ip bgp summary (TEXTFSM)"]
end
subgraph VR2["<b>Validation Rule</b> — 'NTP Status' (EXACT_MATCH)"]
CP3["<b>Command Parser</b><br/>Cisco IOS: show ntp status (TEXTFSM)"]
CP4["<b>Command Parser</b><br/>Arista EOS: show ntp status (TEXTFSM)"]
end
end- Command Parsers live inside a Validation Rule — each rule has one parser per platform, so the same check works across different device types
- Validation Rules can be grouped into a Validation Rule Group — so you can run a bundle of related checks together in a single job
- When the Take Snapshot job runs, the app automatically matches each device to the correct Command Parser based on the device's platform
Phase 2: Collect (before and after each change)¶
When you're ready to make a change, you run the Take Snapshot job twice:
- Before the change: Run the job to collect the current device state. This creates a Snapshot — a named, timestamped collection of all the device outputs for the rules you selected.
- After the change: Run the same job again to collect the new device state into a second Snapshot.
Phase 3: Compare (review the results)¶
Run the Compare Snapshots job, selecting your "pre" and "post" snapshots. The app compares each device/rule pair and produces Validation Results — a pass/fail verdict for each check, along with a detailed diff showing exactly what changed.
Key Concepts at a Glance¶
| Concept | What It Is | Where to Find It |
|---|---|---|
| Validation Rule | A test definition — what to check and how to compare | Operations > Setup > Validation Rules |
| Command Parser | How to collect data for a rule on a specific platform | Operations > Setup > Command Parsers |
| Validation Rule Group | A bundle of rules to run together | Operations > Setup > Validation Rule Groups |
| Snapshot | A point-in-time collection of device state | Operations > Manage > Snapshots |
| Validation Result | The pass/fail outcome of comparing two snapshots | Operations > Manage > Validation Results |
| Take Snapshot | The job that collects device data | Jobs > Operational Compliance > Take Snapshot |
| Compare Snapshots | The job that diffs two snapshots | Jobs > Operational Compliance > Compare Snapshots |
Comparison Types¶
When creating a Validation Rule, you choose a rule type that determines how the "pre" and "post" data are compared:
| Rule Type | What It Does | Example Use Case |
|---|---|---|
| EXACT_MATCH | Fails if anything changed at all | BGP neighbor states must be identical |
| TOLERANCE | Allows numeric values to vary within a threshold | CPU usage can differ by up to 10% |
| PARAMETER_MATCH | Checks that specific fields match expected values | OS version must be "17.06.01" after upgrade |
| REGEX | Matches output against a regular expression pattern | Serial number must match [A-Z]{3}\d{6} |
| OPERATOR | Uses comparison operators (>, <, ==, !=) | Uptime must be greater than 0 |
For detailed information on configuring these rule types, see the Rule Types Reference. For JMESPath expressions and parser configuration, see the Command Parser Reference.
Who Is This App For?¶
- Network engineers who need to validate device state before and after maintenance windows
- Automation engineers who want to build compliance checks into their change workflows
- Network security teams who need an audit trail of what changed and when
Prerequisites¶
Before using this app, you need:
- The app installed and configured
- Devices in Nautobot with Platforms assigned (the app uses platform to match devices to Command Parsers)
- The Nautobot Nornir Plugin configured for device connectivity (this is what the app uses to SSH to devices and run commands)