Network policy analysis for networks
First Claim
1. A method comprising:
- collecting respective sets of configurations programmed at network devices in a network, the collecting comprising extracting the respective sets of configurations from each of the network devices in the network, wherein the network devices comprise at least one of a switch or a router, and wherein the network comprises one or more underlay networks;
based on the respective sets of configurations, determining a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network;
based on the network-wide configuration of the network;
comparing the access control lists associated with the VLANs to yield a VLAN consistency check;
comparing respective configurations of the subnets in the network to yield a subnet consistency check; and
performing a topology consistency check based on the topology of the network; and
based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determining whether the respective sets of configurations programmed at the network devices in the network contain a configuration error, wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer-readable media for performing network assurance in a traditional network. In some examples, a system can collect respective sets of configurations programmed at network devices in a network and, based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration including virtual local area networks (VLANs), access control lists (ACLs) associated with the VLANs, subnets, and/or a topology. Based on the network-wide configuration of the network, the system can compare the ACLs for each of the VLANs to yield a VLAN consistency check, compare respective configurations of the subnets to yield a subnet consistency check, and perform a topology consistency check based on the topology. Based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, the system can determine whether the respective sets of configurations programmed at the network devices contain a configuration error.
172 Citations
20 Claims
-
1. A method comprising:
-
collecting respective sets of configurations programmed at network devices in a network, the collecting comprising extracting the respective sets of configurations from each of the network devices in the network, wherein the network devices comprise at least one of a switch or a router, and wherein the network comprises one or more underlay networks; based on the respective sets of configurations, determining a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network; based on the network-wide configuration of the network; comparing the access control lists associated with the VLANs to yield a VLAN consistency check; comparing respective configurations of the subnets in the network to yield a subnet consistency check; and performing a topology consistency check based on the topology of the network; and based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determining whether the respective sets of configurations programmed at the network devices in the network contain a configuration error, wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
one or more processors; and at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the system to; collect respective sets of configurations programmed at network devices in a network, wherein the collecting of the respective sets of configurations comprises extracting the respective sets of configurations from each of the network devices in the network, wherein the network devices comprise at least one of a switch or a router, and wherein the network comprises one or more underlay networks; based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network; based on the network-wide configuration of the network; compare the access control lists associated with the VLANs to yield a VLAN consistency check; compare respective configurations of the subnets in the network to yield a subnet consistency check; and perform a topology consistency check based on the topology of the network; and based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determine whether the respective sets of configurations programmed at the network devices in the network contain a configuration error, wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium comprising:
instructions stored therein instructions which, when executed by one or more processors, cause the one or more processors to; collect, from a plurality of network devices in a network, respective sets of configurations programmed at the plurality of network devices in the network, the collecting comprising extracting the respective sets of configurations from each of the plurality of network devices in the network, wherein the plurality of network devices comprises at least one of switches or routers, and wherein the network comprises one or more underlay networks; based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration comprising at least one of virtual local area networks (VLANs) in the network, access control lists associated with the VLANs, subnets in the network, and a topology of the network; based on the network-wide configuration of the network; compare the access control lists associated with the VLANs to yield a VLAN consistency check; compare respective configurations of the subnets in the network to yield a subnet consistency check; and perform a topology consistency check based on the topology of the network; and based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, determine whether the respective sets of configurations programmed at the plurality of network devices in the network contain a configuration error wherein the configuration error comprises at least one of a first conflict between the access control lists, a second conflict between the respective configurations of the subnets, or a loop resulting from the topology of the network. - View Dependent Claims (16, 17, 18, 19, 20)
Specification