All 93 built-in checks organized by engine and category. Each entry includes the check name (used in rule check_name field), description, and configurable parameters.
Intent Checks (42)
Addressing (8 checks)
| Check Name | Description | Parameters |
|---|
cabled_interfaces_have_ips | Every cabled interface has at least 1 IP address | exclude_types: ["virtual"] |
no_duplicate_ips | No IP is assigned to multiple interfaces | -- |
management_ip_in_prefix | Primary IP is within expected management prefix | prefix: "10.0.0.0/8" |
ip_prefix_utilization | Active prefixes below utilization threshold | max_utilization_pct: 90 |
no_orphan_ips | No IPs exist without an assigned interface | -- |
loopback_has_host_route | Loopback interfaces have /32 or /128 only | -- |
point_to_point_subnet_sizing | Point-to-point links use /30 or /31 | allowed_masks: [30, 31] |
ip_vrf_consistency | IPs on VRF interfaces come from VRF prefixes | -- |
Redundancy (7 checks)
| Check Name | Description | Parameters |
|---|
min_cabled_uplinks | Device has N or more cabled uplink interfaces | min_uplinks: 2, uplink_types: ["1000base-t", "10gbase-x-sfpp"] |
min_bgp_sessions | Device has N or more BGP sessions | min_sessions: 2 |
redundant_power | Device has N or more cabled power ports | min_power_feeds: 2 |
site_min_devices_by_role | Site has N or more devices for a given role | role: "spine", min_count: 2 |
dual_homed_circuits | Device has N or more circuit terminations | min_circuits: 2 |
lag_min_members | LAG interfaces have N or more members | min_members: 2 |
virtual_chassis_member_count | Virtual chassis has N or more members | min_members: 2 |
Topology (8 checks)
| Check Name | Description | Parameters |
|---|
leaf_spine_connectivity | Every leaf has cables to N or more distinct spines | min_spines: 2, spine_role: "spine" |
no_unconnected_active_interfaces | Active interfaces are cabled or uncabled type | allowed_uncabled_types: ["virtual", "lag", "bridge"] |
symmetric_cabling | Both ends of every cable have matching speed/type | -- |
cable_trace_complete | Cable paths are traceable end-to-end | -- |
site_redundant_paths | Site has N or more distinct uplink paths | min_paths: 2 |
rear_port_mapping_complete | All rear ports have front port mappings | -- |
console_connectivity | At least one console port is connected | -- |
mtu_consistency_across_link | Both ends of a cable have the same MTU | -- |
Standards (6 checks)
| Check Name | Description | Parameters |
|---|
bgp_asn_range_consistent | BGP ASNs within allowed range | min_asn: 64512, max_asn: 65534 |
interface_naming_consistent | Interfaces follow naming convention by type | pattern_by_type: {"1000base-t": "^(Ethernet|eth)\\d+"} |
consistent_device_naming | Devices at same site/role follow naming scheme | pattern_by_role: {} |
consistent_platform_per_role | All devices with same role at site use same platform | -- |
vlan_id_range_by_site | VLANs at site within allowed ID ranges | min_vid: 100, max_vid: 999 |
prefix_role_assigned | Active prefixes have a role assigned | -- |
Completeness (8 checks)
| Check Name | Description | Parameters |
|---|
config_context_required_keys | config_context contains required keys | required_keys: ["ntp_servers", "dns_servers"] |
circuit_terminations_complete | All circuits have both A and Z terminations | -- |
vlan_assignments_complete | Tagged-mode interfaces have VLANs assigned | -- |
site_has_required_roles | Site has at least 1 device for each required role | required_roles: ["spine", "leaf"] |
contact_assigned_to_site | Sites have at least one contact assignment | -- |
custom_field_populated | Specified custom fields are non-empty | custom_fields: [] |
asset_documentation_complete | Native device fields are populated | required_fields: ["platform", "site", "rack", "position", "primary_ip4", "serial"] |
ntp_syslog_configured | Device config_context has NTP and syslog servers | ntp_key: "ntp.servers", syslog_key: "syslog.servers", require_both: true |
Security Intent (5 checks)
| Check Name | Description | Parameters |
|---|
no_forbidden_values_in_context | config_context has no forbidden values | forbidden: [{"path": "snmp.community", "values": ["public", "private"]}] |
management_vrf_enforced | Management interfaces are in the correct VRF | management_vrf_name: "MGMT", management_interface_patterns: ["management", "mgmt", "oob"] |
required_context_structure | config_context matches required schema | schema: {"ntp_servers": \{"type": "list", "min_length": 2\}} |
no_plaintext_secrets_in_context | config_context has no password/key patterns | patterns: ["(?i)password\\s*[:=]\\s*\\S+"] |
restricted_prefix_usage | Certain prefixes only used by allowed roles | restricted_prefixes: [] |
Config Checks (35)
Available to Premium tier customers. Config checks use engine: "config" and require the config analysis engine. The config engine is powered by Batfish; NOS support is aligned with Batfish's supported platforms.
Parse Quality (4 checks)
| Check Name | Description | Parameters |
|---|
config_parse_status | Configs parse without errors | -- |
config_parse_warnings | Parse warnings in config files | max_warnings: 0 |
undefined_references | References to undefined structures (e.g., route-map referencing missing prefix-list) | -- |
unused_structures | Defined but never referenced structures | -- |
Routing Protocols (11 checks)
| Check Name | Description | Parameters |
|---|
bgp_sessions | BGP session compatibility | -- |
bgp_unestablished_reason | Why specific BGP sessions can't establish | -- |
bgp_process_config | BGP process configuration correctness | -- |
bgp_rib_validation | Expected routes present in BGP RIB | expected_routes: [] |
ospf_session_compatibility | OSPF session compatibility | -- |
ospf_process_config | OSPF process and area configuration | -- |
routing_loop_detection | Forwarding loops in the network | -- |
multipath_consistency | ECMP/multipath forwarding consistency | -- |
bgp_localpref_equals | Verify local preference matches expected value for a prefix | prefix: "0.0.0.0/0", expected_localpref: 100 |
bgp_med_equals | Verify MED matches expected value for a prefix | prefix: "0.0.0.0/0", expected_med: 0 |
route_advertised_to | Verify a prefix is advertised to specific BGP neighbors | prefix: "", expected_neighbors: [] |
IP & Topology (5 checks)
| Check Name | Description | Parameters |
|---|
duplicate_ips | Duplicate IP addresses across devices | -- |
ip_owners_conflict | IP ownership conflicts | -- |
layer3_topology_complete | L3 adjacency discovery | -- |
interface_mtu_config | MTU mismatches on connected interfaces | -- |
hsrp_vrrp_config | HSRP/VRRP first-hop redundancy configuration | -- |
ACL & Security (7 checks)
| Check Name | Description | Parameters |
|---|
acl_reachability | Unreachable/shadowed ACL lines | -- |
acl_denies_traffic | ACL rules that deny specified traffic flows | flow: {} |
bgp_prefix_filter_applied | All eBGP peers have inbound and outbound route-map or prefix-list | -- |
bgp_authentication_configured | BGP sessions use MD5 or TCP-AO authentication | -- |
ospf_authentication_configured | OSPF interfaces use message-digest authentication | require_type: null |
management_access_acl_configured | VTY lines have access-class ACLs restricting management access | -- |
assert_traffic_blocked | Verify specific traffic flows are blocked (inverted reachability assertion) | src_ip: "", dst_ip: "", applications: [] |
Overlay (3 checks)
| Check Name | Description | Parameters |
|---|
vxlan_vni_config | VXLAN VNI mapping correctness | -- |
evpn_l3_vni_consistency | EVPN L3 VNI consistency across the fabric | -- |
snmp_community_clients | SNMP community string configuration | -- |
Reachability (3 checks)
These checks use the config engine to perform reachability analysis. The config engine is enabled by default for Premium tier customers.
| Check Name | Description | Parameters |
|---|
reachability_assertion | Assert specific source-to-destination reachability | src_ip: "", dst_ip: "", applications: [] |
traceroute_reachability | Simulated traceroute path validation | src_ip: "", dst_ip: "" |
route_table_completeness | Expected routes present in the routing table | expected_routes: [] |
Differential (2 checks, branch-only)
| Check Name | Description | Parameters |
|---|
differential_reachability | Lost/new reachability between main and branch configs | -- |
routing_changes | Routes added/removed between main and branch configs | -- |
Graph Checks (16)
Available to Premium tier customers. Graph checks use engine: "graph" and require enable_graph_engine: true on the policy. The graph engine is enabled by default for Premium deployments.
Power (6 checks)
| Check Name | Description | Parameters |
|---|
power_path_complete | Every device has N or more complete power paths to a panel | min_complete_paths: 1, skip_if_no_power_ports: true |
power_redundancy | Power paths through independent feeds/panels | independence_level: "panel", min_independent_paths: 2, skip_if_no_power_ports: true |
power_feed_capacity | Power feed utilization within thresholds | warning_threshold: 80, critical_threshold: 95, draw_type: "allocated" |
power_three_phase_balance | Three-phase feeds balanced across legs | max_imbalance_percent: 20 |
power_feed_blast_radius | Unprotected devices per power feed failure | max_unprotected_devices: 0 |
power_panel_blast_radius | Unprotected devices per power panel failure | max_unprotected_devices: 0 |
Topology (2 checks)
| Check Name | Description | Parameters |
|---|
device_single_point_of_failure | Devices whose removal disconnects the network | spof_roles: null (all), min_downstream_impact: 2 |
cable_single_point_of_failure | Cables whose removal disconnects the network | cross_rack_only: true |
Infrastructure (5 checks)
| Check Name | Description | Parameters |
|---|
site_connectivity_redundancy | Site has circuits from N or more providers | min_providers: 2, min_circuits: 2 |
circuit_path_diversity | Circuits use diverse providers, racks, devices | diversity_scope: "site", diversity_requirements: ["provider", "rack", "device"] |
rack_failure_impact | Network impact when all rack devices are removed | max_external_impact: 5 |
shared_failure_domain | Device pairs sharing too many failure domains | max_shared_domains: 2, domain_types: ["power_feed", "power_panel", "rack", "upstream_device", "circuit_provider"], compare_roles: null (all), max_devices: 500 |
concurrent_maintainability | Any single component can be taken offline without service impact (TIA-942 Tier III/IV) | max_service_impact: 0, check_power: true, check_network: true |
Reachability -- Config-Engine-Enhanced (3 checks)
These checks require the config analysis engine for routing-layer analysis. They operate independently of per-policy enable_config_engine.
| Check Name | Description | Parameters |
|---|
routing_convergence_impact | Simulate device failure, measure prefix loss | target_roles: ["spine", "border", "core"], max_unreachable_prefixes: 0, max_targets: 10 |
bgp_session_criticality | BGP sessions whose loss affects the most prefixes | min_prefix_count: 10 |
forwarding_path_redundancy | Multiple forwarding paths between flow pairs | flow_pairs: "all_inter_site", min_paths: 2 |
routing_convergence_impact details: This check simulates device failures to measure routing convergence and prefix reachability impact. target_roles selects which device roles to simulate failures for. max_unreachable_prefixes sets the pass/fail threshold (0 = any prefix loss is a failure). max_targets (default 10) limits simulation to the N most-connected devices within the target roles, sorted by uplink count descending -- prioritizing devices whose failure would have the greatest blast radius.