Identifying mismatches between a logical model and node implementation

US 10,554,493 B2
Filed: 07/27/2017
Issued: 02/04/2020
Est. Priority Date: 06/19/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining reference concrete level rules for a node in a network, comprising;

receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network;

creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node;

obtaining, from the node in the network, implemented concrete level rules for the node;

comparing the reference concrete level rules with the implemented concrete level rules; and

determining that the implemented concrete level rules are not appropriately configured based on the comparing;

wherein;

concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow;

the reference concrete level rules are the correct allow and deny rules of the node; and

the implemented concrete level rules are the actual allow and deny rules being executed by the node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the implemented concrete level rules are not appropriately configured based on the comparison.

174 Citations

20 Claims

1. A computer-implemented method comprising:
- obtaining reference concrete level rules for a node in a network, comprising;
  
  receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network;
  
  creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node;
  
  obtaining, from the node in the network, implemented concrete level rules for the node;
  
  comparing the reference concrete level rules with the implemented concrete level rules; and
  
  determining that the implemented concrete level rules are not appropriately configured based on the comparing;
  
  wherein;
  
  concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow;
  
  the reference concrete level rules are the correct allow and deny rules of the node; and
  
  the implemented concrete level rules are the actual allow and deny rules being executed by the node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising:
    - obtaining a logical model for the network from a controller for the network;
      
      generating, based on the logical model for the network, a logical model for the node; and
      
      generating, based on the logical model for the node the reference concrete level rules for the node.
  - 3. The computer-implemented method of claim 1, further comprising querying the node in the network for the implemented concrete level rules for the node.
  - 4. The computer-implemented method of claim 1, further comprising comparing a number of reference concrete level rules with a number of implemented concrete level rules.
  - 5. The computer-implemented method of claim 1, wherein the node is a leaf node.
  - 6. The computer-implemented method of claim 1, wherein the reference concrete level rules are access control rules.
  - 7. The computer-implemented method of claim 1, further comprising notifying a network administrator that the implemented concrete level rules are not appropriately configured.
  - 8. The computer-implemented method of claim 1, further comprising recording the occurrence of a misconfiguration of the implemented concrete level rules along with a time stamp.
  - 9. The computer-implemented method of claim 1, further comprising restarting the node.
  - 10. The computer-implemented method of claim 1, further comprising:
    - obtaining, from a controller, reference rule identifiers for the reference concrete level rules for the node in the network;
      
      obtaining, from the node, implemented rule identifiers associated with hardware level entries stored on the node; and
      
      determining that the hardware level entries stored on the node are not appropriately configured based on the reference rule identifiers and the implemented rule identifiers.

11. A system comprising:
- one or more processors; and
  
  at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the system to perform operations comprising;
  
  obtaining reference concrete level rules for a node in a network, comprising;
  
  receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network;
  
  creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node;
  
  obtaining, from the node in the network, implemented concrete level rules for the node;
  
  comparing the reference concrete level rules with the implemented concrete level rules; and
  
  determining that the implemented concrete level rules are not appropriately configured based on the comparing;
  
  wherein;
  
  concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow;
  
  the reference concrete level rules are the correct allow and deny rules of the node; and
  
  the implemented concrete level rules are the actual allow and deny rules being executed by the node.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11, further comprising:
    - obtaining a logical model for the network from a controller for the network;
      
      generating, based on the logical model for the network, a logical model for the node; and
      
      generating, based on the logical model for the node the reference concrete level rules for the node.
  - 13. The system of claim 11, further comprising querying the node in the network for the implemented concrete level rules for the node.
  - 14. The system of claim 11, further comprising comparing a number of reference concrete level rules with a number of implemented concrete level rules.
  - 15. The system of claim 11, wherein the node is a leaf node.

16. A non-transitory computer-readable storage medium having stored therein instructions which, when executed, cause a system to perform operations comprising:
- obtaining reference concrete level rules for a node in a network, comprising;
  
  receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network;
  
  creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node;
  
  obtaining, from the node in the network, implemented concrete level rules for the node;
  
  comparing the reference concrete level rules with the implemented concrete level rules; and
  
  determining that the implemented concrete level rules are not appropriately configured based on the comparing;
  
  wherein;
  
  concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow;
  
  the reference concrete level rules are the correct allow and deny rules of the node; and
  
  the implemented concrete level rules are the actual allow and deny rules being executed by the node.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The medium of claim 16, further comprising:
    - obtaining a logical model for the network from a controller for the network;
      
      generating, based on the logical model for the network, a logical model for the node; and
      
      generating, based on the logical model for the node the reference concrete level rules for the node.
  - 18. The medium of claim 16, further comprising querying the node in the network for the implemented concrete level rules for the node.
  - 19. The medium of claim 16, further comprising comparing a number of reference concrete level rules with a number of implemented concrete level rules.
  - 20. The medium of claim 16, wherein the node is a leaf node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kompella, Ramana Rao, Nagarajan, Chandra, Monk, John Thomas, Ghantasala, Purna Mani Kumar
Primary Examiner(s)
Haile, Awet

Application Number

US15/661,899
Publication Number

US 20180367396A1
Time in Patent Office

922 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0661   by reconfiguring faulty ent...

H04L 41/0686   Additional information in t...

H04L 41/0853   by actively collecting conf...

H04L 41/0859   by keeping history of diffe...

H04L 41/0869   Validating the configuratio...

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/12   Discovery or management of ...

H04L 41/122   of virtualised topologies, ...

H04L 41/145   involving simulating, desig...

H04L 41/40   using virtualisation of net...

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

H04L 63/20   for managing network securi...

Identifying mismatches between a logical model and node implementation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

174 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying mismatches between a logical model and node implementation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

174 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links