Most tools tell you they support a brand and stop there. We tell you precisely how we read each one: the protocol, the data, and how deep the analysis goes. Some vendors get a full mathematical reachability proof. Some get a config-level parse plus SNMP. Some are read through their cloud API. We name which is which, and we name what we do not do yet. Everything here is read-only and runs on your own servers, with no agents on your gear.
The same network has gear from many vendors, and we cannot pretend they are all equal. So we are explicit. Each vendor sits in one of three tiers, and the tier tells you exactly what kind of answer you can trust from it.
Batfish-modeled
We build a vendor-neutral model of the device from its real running-config and prove reachability and forwarding: what can actually reach what, which ACL line permits or denies a flow, dead rules, duplicate IPs, and what a config change did to reachability. This is math, not a guess.
Cisco · Arista · Juniper · Fortinet · Palo Alto · F5
Parsed facts + live state
For gear Batfish does not model, we wrote our own parsers. We read the running-config into structured facts (VLANs, ports, ACL and firewall intent, IGMP, PoE) and pair it with a live SNMP walk. You get real segmentation, multicast and hardening findings, just not a formal L3 proof.
Netgear · Ubiquiti EdgeSwitch / EdgeRouter · Extreme
No on-box config
Cloud-managed gear has no running-config to capture, so we read the configuration from the vendor's own API, read-only, with a token you control that stays encrypted at rest. We pull VLANs, ports, and firewall rules and run the same segmentation and hardening checks against them.
Cisco Meraki · Ubiquiti UniFi
Read this left to right: how we reach the device, exactly what we pull off it, and how deep we can analyze it. The depth tag is the honest ceiling on the answers you can trust.
| Vendor | How we reach it | What we collect | What we analyze | Depth |
|---|---|---|---|---|
| Formal reachability proof (Batfish digital twin) | ||||
| CiscoIOS · IOS-XE · NX-OS | SSH running-config + SNMP v2c/v3 | Full config; interfaces, VLANs, ACLs; BGP / OSPF; LLDP neighbors; IGMP; PoE; PTP clock; spanning-tree; serial and sensors. | Formal reachability and forwarding proof, ACL and segmentation analysis, dead-ACL and duplicate-IP, golden-config drift, hardening, Black Box change analysis. | Formal |
| AristaEOS | SSH running-config + SNMP v2c/v3 | Same fact set as Cisco, read from the EOS config and a live SNMP walk. | Same as Cisco: full reachability proof, ACL analysis, drift, hardening, Black Box. | Formal |
| JuniperJunos | SSH set-format config + SNMP v2c/v3 | Junos configuration (display set), interfaces, VLANs, firewall filters, routing, neighbors, IGMP, PoE, PTP, STP, sensors. | Same as Cisco: full reachability proof, filter and segmentation analysis, drift, hardening, Black Box. | Formal |
| FortinetFortiOS / FortiGate | SSH full-configuration + SNMP | Full FortiOS config: security policy, NAT, interfaces and zones, addresses and services, routing. | Security policy and NAT modeled as forwarding, so reachability is proven the same way as a router. Segmentation analysis and drift. Note: automated hardening rules for FortiOS are on the roadmap. | Formal |
| Palo AltoPAN-OS | SSH set-format config + SNMP | PAN-OS running config: security and NAT policy, zones, interfaces, addresses and services, routing. | Policy and NAT forwarding model with reachability proof, segmentation analysis and drift. Note: hardening rules on the roadmap. | Formal |
| F5BIG-IP | SSH tmsh config + SNMP | BIG-IP config (bigip.conf): virtual servers, pools, NAT, self-IPs and VLANs. | Application-delivery and pool forwarding model with reachability, segmentation analysis and drift. Note: hardening rules on the roadmap. | Formal |
| Config-level (our parser + SNMP) | ||||
| NetgearAV Line M4250 / M4300 · FASTPATH | SSH running-config + SNMP (incl. Netgear PoE MIB) | VLANs and names, switch ports (access / trunk), ACL rules, IGMP snooping and querier, PoE budget and per-port draw, LAGs, serial and sensors. | VLAN segmentation, multicast readiness for Dante / NDI / NVX / AES67, ACL and firewall intent, PoE budget, and config hardening. | Config |
| Ubiquiti EdgeSwitchES series · FASTPATH | SSH running-config + SNMP (incl. Ubiquiti PoE MIB) | Same fact set as Netgear: VLANs, ports, ACLs, IGMP, PoE, LAGs (shared FASTPATH parser). | Segmentation, multicast readiness, ACL intent, PoE, hardening. | Config |
| Ubiquiti EdgeRouterER series · EdgeOS | SSH config + SNMP | Interfaces with VLAN sub-interfaces and addresses, firewall rule sets, NAT, static routes, DHCP (EdgeOS / Vyatta parser). | Firewall rule intent (the EdgeOS analog of an ACL), VLAN segmentation, routing and NAT facts, hardening. | Config |
| ExtremeEXOS | SSH running-config + SNMP | Running-config captured in full, plus the live SNMP walk (interfaces, VLANs, neighbors, sensors). | Capture-first today: the config is stored, searchable, version-diffed and drift-checked, and SNMP facts feed inventory and health. Note: a structured EXOS parser is on the roadmap. | Config |
| Cloud API (read-only) | ||||
| Cisco MerakiDashboard API | HTTPS REST + encrypted API key | Org VLANs, switch ports (access / trunk, PoE), L3 firewall rules, device inventory. | Segmentation across VLANs, detection of overly-permissive allow-any rules, and a default-deny check. Cloud-managed, so there is no SSH config and no formal proof; analysis is config-level from the Dashboard. | Cloud |
| Ubiquiti UniFiNetwork / Controller API | HTTPS REST + encrypted API key | Devices, port profiles (access / trunk, PoE, storm and IGMP settings), VLANs and networks, gateway firewall rules. | Segmentation, port and PoE configuration, and gateway firewall intent, from the controller. | Cloud |
| Wireless and occupancy feeds (read-only, for the spatial analytics) | ||||
| Cisco wirelessWLC / Catalyst 9800 · AP poll | SNMP (AIRESPACE / Catalyst 9800 MIBs) | Per-AP radio state: associated clients, channel, transmit power, band. | Live coverage and client load, the RF heat map, and Wi-Fi space occupancy with a confidence band. | Feed |
| Juniper MistOrg API + zone webhooks | HTTPS REST + encrypted token | Per-zone client counts, and zone enter / exit events for dwell. Events are hashed on arrival; no client identity is stored. | Zone-level occupancy and dwell time for the space-analytics views. | Feed |
| Cisco Catalyst CenterAssurance API | HTTPS REST + encrypted token | Client-count trend buckets (15-minute and hourly) for a site. | Site-level occupancy trend feeding the same analytics. | Feed |
Vendor and product names are the property of their owners and are listed only to describe interoperability. Aruba and other SNMP-speaking switches are also walked for inventory, interfaces, VLANs, neighbors, PoE and sensors; the depth tags above describe config and reachability analysis specifically.
Nothing here installs an agent, and nothing writes to your gear. Credentials stay encrypted at rest, and any source you have not configured simply stays dormant.
A read-only walk over SNMP v2c or v3 (with SHA / AES). From standard MIBs we read the system group, interfaces (ifTable / ifXTable), LLDP neighbors, Q-BRIDGE VLANs, spanning-tree, the entity table for serials and environmental sensors, PoE (POWER-ETHERNET-MIB plus Netgear and Ubiquiti private arcs), IGMP, and BGP, OSPF and PTP where the device runs them.
A read-only login that disables paging and pulls the running-config using each vendor's own CLI. The config is stored, versioned, and diffed so drift is caught, then handed either to Batfish for a formal proof or to our own parser for structured facts.
For cloud-managed gear (Meraki, UniFi) and the wireless feeds (Mist, Catalyst Center), we read configuration and telemetry over HTTPS with a token you issue. The token is encrypted at rest, every call is read-only, and outbound requests are guarded so they only reach the intended public host.
For Mist zone dwell, the controller posts enter and exit events to a token-protected endpoint. Events are hashed immediately and counted; we never store who anyone is. This powers dwell time in the occupancy analytics without a survey or a sensor.
Plenty of tools list a wall of logos. That tells you nothing about whether you can trust what comes back. So we did the opposite.
And we go where general-purpose tools do not: IGMP snooping and querier state, PTP clock health, and PoE budgets, the things that decide whether Dante, NDI, NVX and AES67 actually work. Every fact also carries where it came from, so a measured value never reads like a guess.
Run the preview on your own server, hand it read-only credentials for one corner of your network, and see exactly what it pulls off each device, with the depth labeled honestly.
