Method and apparatus for network wide policy-based analysis of configurations of devices
1 Assignment
0 Petitions
Accused Products
Abstract
A method and an apparatus for analyzing a network configuration against a corporate network policy and determining violation(s) against the corporate network policy. A report indicating the violation(s) can be generated indicating instances of the violation(s). An analysis platform reads in a network policy. The analysis platform collects configuration files from the relevant network devices in the network and builds up an internal instance of a network configuration model based on the configuration files and the network topology. The analysis platform analyzes this network configuration model according to the network policy and adds an entry to its final report each time that it detects a violation against the network policy in the network configuration model. The data in the entries pinpoints the cause of the deviation(s) from the network policy.
100 Citations
92 Claims
-
1-62. -62. (canceled)
-
63. A method for a computer system comprises:
-
receiving a policy for a network comprising a plurality of network devices, including a first host server, in a network topology, wherein the first host server hosts a first application, and wherein the policy specifies a set of required traffic associated with the first host server;
receiving configuration data for at least some of the plurality of network devices;
computing network traffic on all network paths between the network devices in the network, in response to the configuration data and to the policy;
determining a relationship condition between computed network traffic associated with the first host server from the network traffic on all network paths to the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
less than, equal, and greater than; and
determining a violation of the policy in response to the relationship condition. - View Dependent Claims (64, 65, 66, 67, 68, 69, 70, 71, 72)
-
-
73. A computer program product for a computer system including a processor comprises:
-
code that directs the processor to receive a policy for a network comprising a plurality of network devices, including a first host server, in a network topology, wherein the first host server hosts a first application, and wherein the policy specifies a set of required traffic associated with the first host server;
code that directs the processor to receive configuration data for at least some of the plurality of network devices;
code that directs the processor to compute network traffic on all network paths between the network devices in the network, in response to the configuration data and to the policy;
code that directs the processor to determine a relationship condition between computed network traffic associated with the first host server in response to the network traffic on all network paths to the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
less than, equal, and greater than; and
code that directs the processor to determine a violation of the policy in response to the relationship condition;
wherein the codes reside on a tangible media. - View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81, 82)
-
-
83. A computer system comprises:
-
a processor; and
a memory coupled to the processor, wherein the memory includes;
a software module that directs the processor to receive a policy for a network comprising a plurality of network devices, including a first host server, in a network topology, wherein the first host server hosts a first application, and wherein the policy specifies a set of required traffic associated with the first host server;
a software module that directs the processor to receive configuration data for at least some of the plurality of network devices;
a software module that directs the processor to compute network traffic on all network paths between the network devices in the network, in response to the configuration data and to the policy;
a software module that directs the processor to determine a relationship condition between computed network traffic associated with the first host server in response to the network traffic on all network paths to the set of required traffic associated with the first host server, wherein the relationship condition is selected from a group consisting of;
less than, equal, and greater than; and
a software module that directs the processor to determine a violation of the policy in response to the relationship condition. - View Dependent Claims (84, 85, 86, 87, 88, 89, 90, 91, 92)
-
Specification