Validation of cross logical groups in a network

US 10,567,228 B2
Filed: 07/28/2017
Issued: 02/18/2020
Est. Priority Date: 06/19/2017
Status: Active Grant

First Claim

Patent Images

1. A system for performing a network assurance check of proper deployment of a configuration in a fabric, the system comprising:

at least one memory configured to store data; and

at least one processor operable to execute instructions associated with the data which, when executed by the at least one processor, cause the at least one processor to;

receive a global logic model, a plurality of software models, and/or a plurality of hardware models, the global logic model including a virtual routing and forwarding instance (VRF), the VRF having under it at least one bridge domain (BD) and at least one associated endpoint group (EPG);

create a plurality of local logical models from the global logical model;

create, for the VRF of the global logical model, a VRF container;

populate the VRF container with a subset, the subset being of the plurality of software models, the plurality of hardware models, and/or the plurality of local logical models, the subset defined by leafs in the fabric on which the VRF is deployed;

determine whether a security contract exists between any of the at least one EPG in the VRF container and an EPG not in the VRF container to yield a determination; and

validate, in response to a positive result of the determination, that one or more subnets of the at least one EPG in the VRF container and the EPG not in the VRF container do not clash.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods, and computer-readable media for assuring tenant forwarding in a network environment. Network assurance can be determined in layer 1, layer 2 and layer 3 of the networked environment including, internal-internal (e.g., inter-fabric) forwarding and internal-external (e.g., outside the fabric) forwarding in the networked environment. The network assurance can be performed using logical configurations, software configurations and/or hardware configurations.

185 Citations

20 Claims

1. A system for performing a network assurance check of proper deployment of a configuration in a fabric, the system comprising:
- at least one memory configured to store data; and
  
  at least one processor operable to execute instructions associated with the data which, when executed by the at least one processor, cause the at least one processor to;
  
  receive a global logic model, a plurality of software models, and/or a plurality of hardware models, the global logic model including a virtual routing and forwarding instance (VRF), the VRF having under it at least one bridge domain (BD) and at least one associated endpoint group (EPG);
  
  create a plurality of local logical models from the global logical model;
  
  create, for the VRF of the global logical model, a VRF container;
  
  populate the VRF container with a subset, the subset being of the plurality of software models, the plurality of hardware models, and/or the plurality of local logical models, the subset defined by leafs in the fabric on which the VRF is deployed;
  
  determine whether a security contract exists between any of the at least one EPG in the VRF container and an EPG not in the VRF container to yield a determination; and
  
  validate, in response to a positive result of the determination, that one or more subnets of the at least one EPG in the VRF container and the EPG not in the VRF container do not clash.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein each of the at least one BD includes at least one subnet.
  - 3. The system of claim 1, wherein each EPG of the at least one EPG includes at least one subnet.
  - 4. The system of claim 1, wherein the instructions for validation that the one or more subnets do not clash further comprises instructions, which when executed by the at least one processor causes the at least one processor to:
    - determine a first set of subnets in a first BD associated with a first EPG where the contract exists;
      
      determine second set of subnets in a second BD associated with a second EPG where the contract exists; and
      
      validate that the first set of subnets does not intersect with the second set of subnets.
  - 5. The system of claim 1, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to validate for each of the subnets, a next hop.
  - 6. The system of claim 1, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to generate an error event in response to a clash between the one or more subnets.
  - 7. The system of claim 4, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to generate an error event in response to the first set of subnets intersecting with the second set of subnets.

8. A method for performing a network assurance check of proper deployment of a configuration in a fabric, the method comprising:
- receiving a global logic model, a plurality of software models, and/or a plurality of hardware models, the global logic model including virtual routing instance (VRF), the VRF having under it at least one bridge domain (BD) and at least one associated endpoint group (EPG);
  
  creating a plurality of local logical models from the global logical model;
  
  creating, for the VRF of the global logical model, a VRF container;
  
  populating the VRF container with a subset, the subset being of the plurality of software models, the plurality of hardware models, and/or the plurality of local logical models, the subset defined by leafs in the fabric on which the VRF is deployed;
  
  determining whether a security contract exists between any of the at least one EPG in the VRF container and an EPG not in the VRF container; and
  
  validating, in response to a positive result of the determining, that one or more subnets of the at least one EPG in the VRF container and the EPG not in the VRF container do not clash.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein each of the at least one BD includes at least one subnet.
  - 10. The method of claim 8, wherein each EPG of the at least one EPG includes at least one subnet.
  - 11. The method of claim 8, wherein the validating that the one or more subnets do not clash further comprises:
    - determining first subnets in a first BD associated with a first EPG where the contract exists;
      
      determining second subnets in a second BD associated with a second EPG where the contract exists; and
      
      validating that the first subnets do not intersect with the second subnets.
  - 12. The method of claim 8, further comprising:
    - validating for each of the subnets, a next hop.
  - 13. The method of claim 8, further comprising,generating an error event in response to a clash between the one or more subnets.
  - 14. The method of claim 11, further comprising,generating an error event in response to the first subnets intersecting with the second subnets.

15. At least one non-transitory computer readable medium storing instructions which, when executed by a processor, cause the processor to:
- receiving a global logic model, a plurality of software models, and/or a plurality of hardware models, the global logic model including virtual routing instance (VRF), the VRF having under it at least one bridge domain (BD) and at least one associated endpoint group (EPG);
  
  create a plurality of local logical models from the global logical model;
  
  create, for the VRF of the global logical model, a VRF container;
  
  populate the VRF container with a subset, the subset being of the plurality of software models, the plurality of hardware models, and/or the plurality of local logical models, the subset defined by leafs in a fabric on which the VRF is deployed;
  
  determine whether a security contract exists between any of the at least one EPG in the VRF container and an EPG not in the VRF container to yield a determination; and
  
  validating, in response to a positive result of the determination, that one or more subnets of the at least one EPG in the VRF container and the EPG not in the VRF container do not clash.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The at least one non-transitory computer readable medium of claim 15, wherein each of the at least one BD includes at least one subnet.
  - 17. The at least one non-transitory computer readable medium of claim 15, wherein each EPG of the at least one EPG includes at least one subnet.
  - 18. The at least one non-transitory computer readable medium of claim 15, wherein the validating that the one or more subnets do not clash further comprises:
    - determine a first set of subnets in a first BD associated with a first EPG where the contract exists;
      
      determine second set of subnets in a second BD associated with a second EPG where the contract exists; and
      
      validate that the first set of subnets does not intersect with the second set of subnets.
  - 19. The at least one non-transitory computer readable medium of claim 15, wherein the instructions further cause the processor to validate a next hop for each of the subnets.
  - 20. The at least one non-transitory computer readable medium of claim 15, wherein the instructions further cause the processor to generate an error event in response to a clash between the one or more subnets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Harneja, Sanchay, Venkatesan, Ramadoss, Subramanya, Vikram
Primary Examiner(s)
Barker, Todd L

Application Number

US15/663,638
Publication Number

US 20180367394A1
Time in Patent Office

935 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/2289   by configuration test

H04L 41/06   Management of faults, event...

H04L 41/0866   Checking the configuration

H04L 41/0873   Checking configuration conf...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/145   involving simulating, desig...

H04L 41/344   Out-of-band transfers

Y02D 30/00   Reducing energy consumption...

Validation of cross logical groups in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

185 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Validation of cross logical groups in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links