Method and apparatus for network wide policy-based analysis of configurations of devices
First Claim
1. A method, using an analysis platform, for analyzing a network having a plurality of network devices, the method comprising the steps of:
- receiving a network policy pertaining to said network, wherein the network policy includes a set of required IP traffic associated with at least a first application on a first host application server;
receiving a topology of said network devices in said network;
receiving configuration data from at least a portion of said network devices;
creating a network configuration model for said network based on said topology and said configuration data received; and
analyzing a software simulation of the network in response to said network configuration model and said network policy to determine an existence of a violation of said network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the network configuration model, wherein analyzing the software simulation of said network comprises;
determining whether a set of simulated IP traffic to the first application on the first host application server in the network configuration model from the set of simulated IP traffic for all the traversable paths is identical to the set of required IP traffic associated with the first application on the first host application server; and
determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not identical to the set of required IP traffic associated with the first application on the first host application server.
11 Assignments
0 Petitions
Accused Products
Abstract
A method and an apparatus for analyzing a network configuration against a corporate network policy and determining violation(s) against the corporate network policy. A report indicating the violation(s) can be generated indicating instances of the violation(s). An analysis platform reads in a network policy. The analysis platform collects configuration files from the relevant network devices in the network and builds up an internal instance of a network configuration model based on the configuration files and the network topology. The analysis platform analyzes this network configuration model according to the network policy and adds an entry to its final report each time that it detects a violation against the network policy in the network configuration model. The data in the entries pinpoints the cause of the deviation(s) from the network policy.
-
Citations
62 Claims
-
1. A method, using an analysis platform, for analyzing a network having a plurality of network devices, the method comprising the steps of:
-
receiving a network policy pertaining to said network, wherein the network policy includes a set of required IP traffic associated with at least a first application on a first host application server; receiving a topology of said network devices in said network; receiving configuration data from at least a portion of said network devices; creating a network configuration model for said network based on said topology and said configuration data received; and analyzing a software simulation of the network in response to said network configuration model and said network policy to determine an existence of a violation of said network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the network configuration model, wherein analyzing the software simulation of said network comprises; determining whether a set of simulated IP traffic to the first application on the first host application server in the network configuration model from the set of simulated IP traffic for all the traversable paths is identical to the set of required IP traffic associated with the first application on the first host application server; and determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not identical to the set of required IP traffic associated with the first application on the first host application server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. In a network having a plurality of network devices, a method, using an analysis platform for analyzing a proposed change to a configuration file of one of said network devices, the method comprising the steps of:
-
receiving a network policy pertaining to said network, wherein the network policy comprises a set of required IP traffic appropriate for a first application on a first host application server; receiving a network configuration model for said network, wherein said network configuration model is based on a topology of said network and configuration data pertaining to at least a portion of said network devices; receiving said proposed change to said configuration file; creating an updated network configuration model based on said proposed change; and analyzing a software simulation of the network in response to said updated network configuration model in accordance with said network policy to determine the existence of a violation of said network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the updated network configuration model, wherein analyzing the software simulation comprises; determining a set of simulated IP traffic to the first application on the first host application server from the set of simulated IP traffic for all traversable paths; determining whether the set of simulated IP traffic to the first application on the first host application server in the updated network configuration model is identical to the set of required IP traffic; and determining the existence of the violation of said network policy when the set of simulated IP traffic to the first application on the first host application server in the updated network configuration model is not identical to the set of required IP traffic. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method, using an analysis platform, for analyzing a software simulation of the network in response to a proposed change to a network policy pertaining to a network, the method comprising the steps of:
-
receiving a network configuration model for said network, wherein said network configuration model is based on a topology of said network and configuration data pertaining to at least a portion of network devices in said network; receiving said proposed change; analyzing a software simulation of the network in response to a new network policy that incorporates said proposed change to determine the existence of a violation of said new network policy, wherein the software simulation of the network determines a set of simulated IP traffic for all traversable paths in the network configuration model; wherein the network policy comprises a set of required IP traffic appropriate for a first application host, and wherein analyzing the software simulation of the network comprises; determining a set of simulated IP traffic to the first application on the first host application server in response to the set of simulated IP traffic for all traversable pats; determining whether the set of simulated IP traffic to the first application on the first host application server in the network configuration model is identical to the set of required IP traffic; and determining the existence of a problem with the new network policy when the set of simulated IP traffic to the first application on the first host application server in the network configuration model is not identical to the set of required IP traffic. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
-
-
43. A computer program stored on a computer readable medium, performed by a computer, for analyzing a network having a plurality of network devices, the computer program comprising:
-
instructions for parsing a network policy file containing a network policy pertaining to said network, wherein the network policy describes a set of required IP traffic associated with a first application on the first host application server; instructions for parsing a network topology file containing a topology of said network devices in said network, wherein said network devices have associated configuration files; instructions for parsing associated configuration files of at least a subset of said network devices to obtain configuration data instructions for determining a network configuration model in response to said topology and said configuration data, wherein the network configuration model also comprises a set of simulated IP traffic associated with the first application associated with the first application server from a set of simulated IP traffic for all traversable paths in the network configuration model, wherein a software simulation of the network determines the set of simulated IP traffic for all traversable paths in the network configuration model; instructions for receiving a query for analyzing the set of simulated IP traffic associated wit the first application server, and instructions for using said query to determine the existence of a problem in response to the query comprising instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server to the set of required IP traffic associated with the first application on the first host application server. - View Dependent Claims (44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A computer program stored on a computer readable medium for processing data, comprising:
-
instructions for receiving a network policy pertaining to a network wherein the network policy describes a set of required IP traffic associated with a first application on a first host server; instructions for receiving a topology of a plurality of network devices in said network; instructions for receiving configuration data from at least a portion of said plurality of network devices; instructions for creating a network configuration model for said network based on said topology and said configuration data received, wherein the network configuration model comprises a set of simulated IP traffic associated with the first host server determined in response to a set of simulated IP traffic for all traversable paths in the topology of the plurality of network devices, wherein the set of simulated IP traffic for all traversable paths in the topology is determined in response to a software simulation of the network; instructions for analyzing the set of simulated IP traffic associated with the first application on the first host server in accordance with said network policy to determine the existence of a violation of said network policy comprising; instructions for comparing the set of simulated IP traffic associated with the first application on the first host application server in the network configuration model to the required IP traffic associated with the first host server, and instructions for generating a report specifying said violation if said violation exists. - View Dependent Claims (57, 58, 59, 60, 61, 62)
-
Specification