The Science of A/B Path Calculation

Chris Lopez
By Chris Lopez October 4, 2018 5 minute read
Chris Lopez is a technical marketing professional at NetBrain. Chris entered the tech field in 2010, getting his first internship at Fortinet, and spent his career specializing in network engineering and security in finance, federal, and private sector environments.

A/B Path behaves like a network engineer, logging into devices hop-by-hop to mimic the actual path of a packet along a network. It will consider policies, ACLs, routing tables, and indicate to the user when these attributes prevent a packet from crossing a network threshold.

In this article, I’m going to go over the elemental logic of NetBrain’s A/B path calculator and illustrate how it stands out from any other tool currently available on the market.

Mapping Application Dependencies

This tool is most valuable when it can be can be applied into a larger abstraction of network documentation – the ability to map application dependencies.

In the context of NetBrain, an application dependency refers to an external device on the network that the application relies on to function properly. Using A/B path, a user can clearly trace the dependencies of applications and workflows across their environment.


The Device Log

The device log is a multi-step panel within the A/B calculation tool that demonstrates to the user what logical steps NetBrain is taking to determine the path of the packet, depending on the type of traffic it is being asked to run. Once it finds the logic the device is using to forward traffic, it will find the next hop in the path.

Here, we can see in close detail how NetBrain is parsing the CLI configs of each device it manages to give the user a more complete understanding of their own network and how traffic flows within it.

What’s interesting is that this logic will change based on the type of device that’s being analyzed!

ACI Path & VRFs

In this example, the A/B Path calculator is running across a network running Cisco ACI. Here, you can see the packet encountering VRFs within each of the leaf devices and posting specific notes on the map to point out specific interfaces, VLANs, Virtual IP translations, and ACLs permitting traffic throughout the network.

Here, in this calculation, we can see the device logic changes when dealing with SDN devices. It prioritizes virtualized network functions in order to understand traffic logic, but it still indicates when traffic was permitted through an ACL. In addition, A/B path also indicates where a Virtual IP translation occurred along the next hop.

Access Control Lists

Here, the A/B Path calculator is encountering an issue with a device’s ACL. NetBrain shows you which device had the deny event, and places a note specifying which ACL caused the packet to be denied. In the beginning, it also tells the user which ACL allowed the packet through on a different device.

Device Mode

A/B Path can work in Layer 2, Layer 3, and Layer 3 Active mode. The difference between the latter 2 types is that Layer 3 Active requires the use of live data but takes into account more port types. As stated earlier, the usual gauntlet of tools available to troubleshoot network outages are limited to Layer 3 analysis and would be hard-pressed to detect L2 or L4 movement.

In addition, A/B path can track the progress of specific applications and port numbers across the network. In its current iteration, A/B Path can support nearly 150 layer-4 protocols. Using these, A/B path can track the critical path of nearly any application or service on the network!

Historical Data Comparison

You can also check changes that have occurred between several iterations of the network. The way that the network looked today isn’t necessarily the way it looked a week or a month ago. If for any reason you need to see how things looked in the past, all you need to do is select benchmarked data and NetBrain’s A/B path calculator will provide the results.

In this example, a user is trying to find out why the WEB-SERVER-1 device suddenly isn’t communicating with the Bos-Core-Demo device through a specific interface. The user discovers through a live analysis that the devices now have an asymmetric routing path thanks to a VPN!


As you can see, the A/B path function is incredibly versatile, and its functionality extends beyond the examples listed out here. A/B path can also be used to detect the presence of NAT translation, Virtual IPs, L2/L3 envrionments, which VPNs the traffic is going through, or even whether there is any cloud infrastructure present in part of the network path. This tool will parse through CLI config files and enumerate the device’s attributes in a way that’s clear and accessible, even to people relatively new to networking. It acts as a helpful guide for people who’ve just begun their career in networking and a powerful instrument of change to those who are already well on their way.