Static network policy analysis for networks
First Claim
1. A method comprising:
- obtaining a logical model based on network configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of a configuration of objects associated with the software-defined network, the objects including at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants;
defining rules corresponding to conditions of the objects according to a specification of the software-defined network;
for each of the objects, determining a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects;
determining whether the configuration violates one or more of the rules; and
when the configuration violates the one or more of the rules, detecting an error in the configuration.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.
138 Citations
20 Claims
-
1. A method comprising:
-
obtaining a logical model based on network configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of a configuration of objects associated with the software-defined network, the objects including at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants; defining rules corresponding to conditions of the objects according to a specification of the software-defined network; for each of the objects, determining a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects; determining whether the configuration violates one or more of the rules; and when the configuration violates the one or more of the rules, detecting an error in the configuration. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
-
one or more processors; and at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to; obtain a logical model based on network configuration data stored in a controller on a software-defined network, the logical model comprising a declarative representation of a respective configuration of objects associated with the software-defined network, the objects comprising at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants; define rules representing respective conditions of the objects according to a specification corresponding to the software-defined network; for each of the objects, determine a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects; determine whether the configuration violates one or more of the rules; and when the configuration violates the one or more of the rules, detect an error in the configuration. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium comprising:
instructions stored therein instructions which, when executed by one or more processors, cause the one or more processors to; obtain a logical model based on network configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of a configuration of objects associated with the software-defined network, the objects including at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants; define rules representing conditions of the objects according to a specification corresponding to the software-defined network; for each of the objects, determine a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects; determine whether the configuration violates one or more of the rules associated with that object; and when the configuration violates the one or more of the rules, detect an error in the configuration. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification