Static network policy analysis for networks

US 10,560,328 B2
Filed: 07/28/2017
Issued: 02/11/2020
Est. Priority Date: 04/20/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a logical model based on network configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of a configuration of objects associated with the software-defined network, the objects including at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants;

defining rules corresponding to conditions of the objects according to a specification of the software-defined network;

for each of the objects, determining a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects;

determining whether the configuration violates one or more of the rules; and

when the configuration violates the one or more of the rules, detecting an error in the configuration.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

138 Citations

20 Claims

1. A method comprising:
- obtaining a logical model based on network configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of a configuration of objects associated with the software-defined network, the objects including at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants;
  
  defining rules corresponding to conditions of the objects according to a specification of the software-defined network;
  
  for each of the objects, determining a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects;
  
  determining whether the configuration violates one or more of the rules; and
  
  when the configuration violates the one or more of the rules, detecting an error in the configuration.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - reading the logical model; and
      
      checking rules for a configuration error.
  - 3. The method of claim 1, wherein the configuration includes at least one of a contract, a filter, a subject, or an entry.
  - 4. The method of claim 1, wherein the declarative representation defines one or more relationships between the objects.
  - 5. The method of claim 1,wherein,the software-defined network is an application-centric infrastructure network, andthe controller is an application policy infrastructure controller.
  - 6. The method of claim 1, wherein the determining of whether the configuration violates the one or more of the rules includes analyzing the one or more rules to determine whether a configuration error exists.
  - 7. The method of claim 1, wherein the determining of whether the configuration violates the one or more of the rules comprises:
    - generating a list of flat rules based on the configuration, each of the flat rules including a mathematical representation of an associated configuration from the configuration; and
      
      analyzing the flat rules.

8. A system comprising:
- one or more processors; and
  
  at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to;
  
  obtain a logical model based on network configuration data stored in a controller on a software-defined network, the logical model comprising a declarative representation of a respective configuration of objects associated with the software-defined network, the objects comprising at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants;
  
  define rules representing respective conditions of the objects according to a specification corresponding to the software-defined network;
  
  for each of the objects, determine a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects;
  
  determine whether the configuration violates one or more of the rules; and
  
  when the configuration violates the one or more of the rules, detect an error in the configuration.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the configuration of includes at least one of an endpoint group configuration, a context configuration, a bridge domain configuration, a subnet configuration, or a security policy.
  - 10. The system of claim 9, wherein the security policy includes at least one of a contract, a filter, a subject, or an entry.
  - 11. The system of claim 8, wherein the declarative representation defines one or more relationships between the objects.
  - 12. The system of claim 8,wherein,the software-defined network is an application-centric infrastructure network, andthe controller is an application policy infrastructure controller.
  - 13. The system of claim 8, wherein determining whether the configuration violates the rules includes analyzing the rules to determine whether a configuration error exists.

14. A non-transitory computer-readable storage medium comprising:
- instructions stored therein instructions which, when executed by one or more processors, cause the one or more processors to;
  
  obtain a logical model based on network configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of a configuration of objects associated with the software-defined network, the objects including at least one of one or more endpoint groups, one or more bridge domains, one or more contexts, or one or more tenants;
  
  define rules representing conditions of the objects according to a specification corresponding to the software-defined network;
  
  for each of the objects, determine a class name of a respective one of the objects, associating at least one of the rules with the respective one of the objects, and determining a tenant name of the respective one of the objects;
  
  determine whether the configuration violates one or more of the rules associated with that object; and
  
  when the configuration violates the one or more of the rules, detect an error in the configuration.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable storage medium of claim 14,wherein,the one or more contexts comprise one or more virtual routing and forwarding instances, andthe configuration includes at least one of properties associated with the objects, contracts associated with the objects, or relationships between the objects.
  - 16. The non-transitory computer-readable storage medium of claim 14,wherein,the software-defined network is an application-centric infrastructure network, andthe controller is an application policy infrastructure controller.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein determining whether the configuration violates the one or more of the rules includes analyzing the rules to determine whether a configuration error exists.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein obtaining the logical model includes constructing the logical model based on the configurations and runtime state data collected in the software-defined network.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further cause the one or more processors to:
    - read the logical model; and
      
      check each of the rules for a configuration error.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein the configuration includes at least one of an endpoint group configuration, a context configuration, a bridge domain configuration, a subnet configuration, or a security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mohanram, Kartik, Nagarajan, Chandra, Iyer, Sundar, Nazar, Shadab, Kompella, Ramana Rao
Primary Examiner(s)
Nguyen, Kim T

Application Number

US15/663,598
Publication Number

US 20180309629A1
Time in Patent Office

928 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/0895   Configuration of virtualise...

H04L 41/142   using statistical or mathem...

H04L 41/145   involving simulating, desig...

H04L 41/147   for predicting network beha...

H04L 41/40   using virtualisation of net...

H04L 43/0823   Errors, e.g. transmission e...

H04L 43/10   Active monitoring, e.g. hea...

H04L 43/20   the monitoring system or th...

Static network policy analysis for networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

138 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Static network policy analysis for networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links