Intent driven network policy platform

US 10,594,560 B2
Filed: 03/27/2017
Issued: 03/17/2020
Est. Priority Date: 03/27/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving configuration data for a set of network entities in a network;

generating an inventory store comprising records associated with the configuration data, each network entity in the set of network entities associated with one of the records in the inventory store, the configuration data stored in the inventory store;

receiving a user intent statement sent by a user to affect a plurality of network policies for a plurality of network entities, in the set of network entities, managed by the user, the user intent statement being an expression of one or more network rules to be translated into the plurality of network policies for the plurality of network entities, the user intent statement including a filter and an action;

querying, based on the filter, the inventory store to identify the plurality of network entities in the set of network entities to which the user intent statement applies;

generating the plurality of network policies that apply the action to the plurality of network entities; and

enforcing the plurality of network policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed technology relates to intent driven network management. A system is configured to maintain an inventory store comprising records for a set of network entities in a network, wherein each network entity in the set of network entities is associated with a record in the inventory store. The system receives a user intent statement comprising an action and a flow filter representing network data flows on which the action is to be applied and queries, based on the flow filter, the inventory store to identify a plurality of network entities in the set of network entities to which the user intent statement applies. The system generates a plurality of network policies that implement the user intent statement based on the plurality of network entities and the action and enforces the plurality network policies.

660 Citations

17 Claims

1. A computer-implemented method comprising:
- receiving configuration data for a set of network entities in a network;
  
  generating an inventory store comprising records associated with the configuration data, each network entity in the set of network entities associated with one of the records in the inventory store, the configuration data stored in the inventory store;
  
  receiving a user intent statement sent by a user to affect a plurality of network policies for a plurality of network entities, in the set of network entities, managed by the user, the user intent statement being an expression of one or more network rules to be translated into the plurality of network policies for the plurality of network entities, the user intent statement including a filter and an action;
  
  querying, based on the filter, the inventory store to identify the plurality of network entities in the set of network entities to which the user intent statement applies;
  
  generating the plurality of network policies that apply the action to the plurality of network entities; and
  
  enforcing the plurality of network policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein the filter comprises an inventory filter representing network entities on which the action is to be applied.
  - 3. The computer-implemented method of claim 1, wherein the filter comprises a flow filter representing network data flows on which the action is to be applied.
  - 4. The computer-implemented method of claim 1, wherein the action comprises at least one of an enforcement action, a configuration action, or an annotation action.
  - 5. The computer-implemented method of claim 1, wherein the configuration data is received from a network operator and the configuration data comprises at least one of an internet protocol (IP) address, a host name, a geographic location, or a department.
  - 6. The computer-implemented method of claim 1, wherein the generating of the inventory store comprises:
    - receiving observed data from at least one network agent configured to collected data associated with one network entity of the set of network entities; and
      
      storing the observed data in the inventory store.
  - 7. The computer-implemented method of claim 6, wherein the observed data comprises at least one of policy enforcement data or entity performance data.
  - 8. The computer-implemented method of claim 1, further comprising:
    - formatting the user intent statement; and
      
      storing the user intent statement in an intent store.
  - 9. The computer-implemented method of claim 1, further comprising:
    - storing the plurality of network policies in a policy store.
  - 10. The computer-implemented method of claim 1, wherein the filter comprises an entity attribute and wherein the querying of the inventory store to identify the plurality of network entities comprises identifying network entities in the inventory store based on the entity attribute.
  - 11. The computer-implemented method of claim 1, wherein the enforcing of the plurality of network policies comprises transmitting the plurality of network policies to a network agent configured to implement the plurality of network policies on the plurality of network entities.

12. A non-transitory computer-readable medium comprising instructions, the instructions, when executed by a computing system, cause the computing system to:
- receive a user intent statement sent by a user to affect a plurality of network policies for a plurality of network entities managed by the user, the user intent statement being an expression of one or more network rules to be translated into the plurality of network policies for the plurality of network entities, the user intent statement including a filter and an action;
  
  query, based on the filter, an inventory store to identify the plurality of network entities to which to apply the action, the inventory store including configuration data for the plurality of network entities, the configuration data received by and stored in the inventory store;
  
  generating the plurality of network policies that apply the action to the plurality of network entities; and
  
  enforcing the plurality of network policies.
- View Dependent Claims (13, 14)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the instructions further cause the computing system to:
    - receive observed data from at least one network agent configured to collected data associated with a host entity; and
      
      storing the observed data in a record in the inventory store associated with the host entity.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the observed data comprises at least one of policy enforcement data or entity performance data.

15. A system comprising:
- a processor; and
  
  a non-transitory computer-readable medium storing instructions that, when executed by the system, cause the system to;
  
  receive configuration data for a set of network entities in a network;
  
  maintain an inventory store comprising records associated with the configuration data, each network entity in the set of network entities associated with one of the records in the inventory store, the configuration data stored in the inventory store;
  
  receive a user intent statement sent by a user to affect a plurality of network policies for a plurality of network entities, in the set of network entities, managed by the user, the user intent statement being an expression of one or more network rules to be translated into the plurality of network policies for the plurality of network entities, the user intent statement including an action and a flow filter representing network data flows on which the action is to be applied;
  
  query, based on the flow filter, the inventory store to identify the plurality of network entities in the set of network entities to which the user intent statement applies;
  
  generate the plurality of network policies that implement the user intent statement based on the plurality of network entities and the action; and
  
  enforce the plurality of network policies.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein enforcing the plurality of network policies comprises transmitting the plurality of network policies to a network agent configured to implement the plurality of network policies on the plurality of network entities.
  - 17. The system of claim 15, wherein the network policies are implemented as an access control list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Prasad, Rohit, Gandham, Shashi, Nguyen, Hoang, Singh, Abhishek, Chang, Shih-Chun, Yadav, Navindra, Parandehgheibi, Ali, Mach, Paul, Agasthy, Rachita, Prasad, Ravi, Malhotra, Varun, Watts, Michael, Gupta, Sunil
Primary Examiner(s)
Yohannes, Tesfay

Application Number

US15/470,410
Publication Number

US 20180278480A1
Time in Patent Office

1,086 Days
Field of Search

709223, 709224, 709225
US Class Current
CPC Class Codes

H04L 41/0856   by backing up or archiving ...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

Intent driven network policy platform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

660 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Intent driven network policy platform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

660 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links