Network policy analysis for networks

US 10,554,483 B2
Filed: 07/28/2017
Issued: 02/04/2020
Est. Priority Date: 05/31/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

collecting respective sets of configurations programmed at network devices in a network, the collecting comprising extracting the respective sets of configurations from each of the network devices in the network, wherein the network devices comprise at least one of a switch or a router, and wherein the network comprises one or more underlay networks;

based on the respective sets of configurations, determining a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network;

based on the network-wide configuration of the network;

comparing the access control lists associated with the VLANs to yield a VLAN consistency check;

comparing respective configurations of the subnets in the network to yield a subnet consistency check; and

performing a topology consistency check based on the topology of the network; and

based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determining whether the respective sets of configurations programmed at the network devices in the network contain a configuration error, wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for performing network assurance in a traditional network. In some examples, a system can collect respective sets of configurations programmed at network devices in a network and, based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration including virtual local area networks (VLANs), access control lists (ACLs) associated with the VLANs, subnets, and/or a topology. Based on the network-wide configuration of the network, the system can compare the ACLs for each of the VLANs to yield a VLAN consistency check, compare respective configurations of the subnets to yield a subnet consistency check, and perform a topology consistency check based on the topology. Based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, the system can determine whether the respective sets of configurations programmed at the network devices contain a configuration error.

172 Citations

20 Claims

1. A method comprising:
- collecting respective sets of configurations programmed at network devices in a network, the collecting comprising extracting the respective sets of configurations from each of the network devices in the network, wherein the network devices comprise at least one of a switch or a router, and wherein the network comprises one or more underlay networks;
  
  based on the respective sets of configurations, determining a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network;
  
  based on the network-wide configuration of the network;
  
  comparing the access control lists associated with the VLANs to yield a VLAN consistency check;
  
  comparing respective configurations of the subnets in the network to yield a subnet consistency check; and
  
  performing a topology consistency check based on the topology of the network; and
  
  based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determining whether the respective sets of configurations programmed at the network devices in the network contain a configuration error, wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein performing the topology consistency check comprises determining whether one or more rules are violated by the topology of the network, the rules defining at least one of a security violation, a dependency problem, a redundancy condition, and a routing problem, and wherein the configuration error comprises a violation of the one or more rules.
  - 3. The method of claim 1, wherein the configuration error comprises at least one of a policy conflict and an incomplete configuration associated with at least one of a VLAN and a subnet.
  - 4. The method of claim 1, wherein the respective sets of configurations comprise at least one of network addresses, hostnames, port configurations, protocol configurations, routing configurations, priority configurations, and state data.
  - 5. The method of claim 1, wherein determining whether the respective sets of configurations programmed at the network devices in the network contain a configuration error is based on one or more rules defined for at least one of VLAN configurations, subnet configurations, and topology configurations.
  - 6. The method of claim 5, wherein the configuration error comprises a rule violation determined based on the one or more rules.
  - 7. The method of claim 1, wherein the respective sets of configurations programmed at the network devices comprise rules and parameters rendered on at least one of a respective software environment of the network devices and a hardware environment of the network devices, and wherein the respective software environment comprises an operating system and the hardware environment comprises a storage device.
  - 8. The method of claim 1, wherein collecting the respective sets of configurations comprises polling the network devices and extracting the respective sets of configurations from the network devices, wherein determining the network-wide configuration of the network comprises combining the respective sets of configurations into a single, network-wide configuration model of the network.

9. A system comprising:
- one or more processors; and
  
  at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the system to;
  
  collect respective sets of configurations programmed at network devices in a network, wherein the collecting of the respective sets of configurations comprises extracting the respective sets of configurations from each of the network devices in the network, wherein the network devices comprise at least one of a switch or a router, and wherein the network comprises one or more underlay networks;
  
  based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network;
  
  based on the network-wide configuration of the network;
  
  compare the access control lists associated with the VLANs to yield a VLAN consistency check;
  
  compare respective configurations of the subnets in the network to yield a subnet consistency check; and
  
  perform a topology consistency check based on the topology of the network; and
  
  based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determine whether the respective sets of configurations programmed at the network devices in the network contain a configuration error, wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein performing the topology consistency check comprises determining whether one or more rules are violated by the topology of the network, the rules defining at least one of a security violation, a dependency problem, a redundancy condition, and a routing problem, and wherein the configuration error comprises a violation of the one or more rules.
  - 11. The system of claim 9, wherein the configuration error comprises at least one of a policy conflict and an incomplete configuration associated with at least one of a VLAN and a subnet.
  - 12. The system of claim 9, wherein determining whether the respective sets of configurations programmed at the network devices in the network contain a configuration error is based on one or more rules defined for at least one of VLAN configurations, subnet configurations, and topology configurations, wherein the configuration error comprises a rule violation.
  - 13. The system of claim 9, wherein the respective sets of configurations programmed at the network devices comprise rules and parameters rendered on at least one of a respective software environment of the network devices and a hardware environment of the network devices, and wherein the respective software environment comprises an operating system and the hardware environment comprises a storage device.
  - 14. The system of claim 9, wherein collecting the respective sets of configurations comprises polling the network devices and extracting the respective sets of configurations from the network devices, wherein determining the network-wide configuration of the network comprises combining the respective sets of configurations into a single, network-wide configuration model of the network.

15. A non-transitory computer-readable storage medium comprising:
- instructions stored therein instructions which, when executed by one or more processors, cause the one or more processors to;
  
  collect, from a plurality of network devices in a network, respective sets of configurations programmed at the plurality of network devices in the network, the collecting comprising extracting the respective sets of configurations from each of the plurality of network devices in the network, wherein the plurality of network devices comprises at least one of switches or routers, and wherein the network comprises one or more underlay networks;
  
  based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network;
  
  based on the network-wide configuration of the network;
  
  compare the access control lists associated with the VLANs to yield a VLAN consistency check;
  
  compare respective configurations of the subnets in the network to yield a subnet consistency check; and
  
  perform a topology consistency check based on the topology of the network; and
  
  based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determine whether the respective sets of configurations programmed at the plurality of network devices in the network contain a configuration error wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein determining the network-wide configuration of the network comprises combining the respective sets of configurations into a single, network-wide configuration model of the network.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the respective sets of configurations programmed at the plurality of network devices comprise rules and parameters rendered on at least one of a respective software environment of the plurality of network devices and a hardware environment of the plurality of network devices, and wherein the respective software environment comprises an operating system and the hardware environment comprises TCAM memory.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein performing the topology consistency check comprises determining whether one or more rules are violated by the topology of the network, the rules defining at least one of a security violation, a dependency problem, a redundancy condition, and a routing problem, and wherein the configuration error comprises a violation of the one or more rules.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the configuration error comprises at least one of a policy conflict and an incomplete configuration associated with at least one of a VLAN and a subnet.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein determining whether the respective sets of configurations programmed at the plurality of network devices in the network contain a configuration error is based on one or more rules defined for at least one of VLAN configurations, the subnet configurations, access control list configurations, and topology configurations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Nagarajan, Chandra, Mohanram, Kartik, Iyer, Sundar, Kompella, Ramana Rao
Primary Examiner(s)
Khan, Atta

Application Number

US15/663,233
Publication Number

US 20180351791A1
Time in Patent Office

921 Days
Field of Search

709220
US Class Current
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/08   Configuration management of...

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Network policy analysis for networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

172 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network policy analysis for networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links