公开(公告)号：US11563645B2

公开(公告)日：2023-01-24

申请号：US17153831

申请日：2021-01-20

Applicant: Cisco Technology, Inc.

Inventor： Advait Dixit ,  Ramana Rao Kompella ,  Kartik Mohanram ,  Sundar Iyer ,  Shadab Nazar ,  Chandra Nagarajan

IPC: G06F15/173 ,  H04L41/16 ,  H04L41/14 ,  H04L41/5022 ,  H04L41/5054 ,  H04L41/0631 ,  H04L41/0866 ,  H04L41/142 ,  H04L41/147 ,  H04L41/12 ,  H04L41/0893

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

公开(公告)号：US11303531B2

公开(公告)日：2022-04-12

申请号：US16806377

申请日：2020-03-02

Applicant: Cisco Technology, Inc.

Inventor： Kartik Mohanram

IPC: H04L12/24 ,  H04L29/06 ,  H04L41/142 ,  H04L41/14 ,  H04L41/0873 ,  H04L41/0893 ,  H04L9/40 ,  H04L41/16 ,  H04L41/0631 ,  H04L43/10

Abstract: Systems, methods, and computer-readable media for generating counterexamples for equivalence failures between models of network intents. A listing of conflict rules corresponding to an equivalence failure between at least first and seconds model of networks intents describing the operation and communication of network devices in a network is obtained. A logical exclusive disjunction between first conflict rules from the first model and corresponding second conflict rules from the second model is calculated. One or more counterexamples corresponding to the equivalence failure are generated based at least in part on the logical exclusive disjunction, such that a given counterexample comprises network and packet conditions that cause the first conflict rules to trigger a first action and cause the second conflict rules to trigger a second action that is different from the first action. Hot fields that are more likely to be associated with the equivalence failure are identified in the counterexample.

公开(公告)号：US11218508B2

公开(公告)日：2022-01-04

申请号：US16217559

申请日：2018-12-12

Applicant: Cisco Technology, Inc.

Inventor： Advait Dixit ,  Navneet Yadav ,  Navjyoti Sharma ,  Ramana Rao Kompella ,  Kartik Mohanram

IPC: H04L29/06

Abstract: Systems, methods, and computer-readable media for assurance of rules in a network. An example method can include creating a compliance requirement including a first endpoint group (EPG) selector, a second EPG selector, a traffic selector, and a communication operator, the first and second EPG selectors representing sets of EPGs and the communication operator defining a communication condition for traffic associated with the first and second EPG selectors and the traffic selector. The method can include creating, for each distinct pair of EPGs, a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; creating a second respective data structure representing a logical model of the network; determining whether the first respective data structure is contained in the second respective data structure to yield a containment check; and determining whether policies on the network comply with the compliance requirement based on the containment check.

公开(公告)号：US11178009B2

公开(公告)日：2021-11-16

申请号：US16786349

申请日：2020-02-10

Applicant: Cisco Technology, Inc.

Inventor： Kartik Mohanram ,  Chandra Nagarajan ,  Sundar Iyer ,  Shadab Nazar ,  Ramana Rao Kompella

IPC: H04L12/24 ,  H04L12/26

Abstract: Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

公开(公告)号：US20200186426A1

公开(公告)日：2020-06-11

申请号：US16786349

申请日：2020-02-10

Applicant: Cisco Technology, Inc.

Inventor： Kartik Mohanram ,  Chandra Nagarajan ,  Sundar Iyer ,  Shadab Nazar ,  Ramana Rao Kompella

IPC: H04L12/24 ,  H04L12/26

Abstract: Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

公开(公告)号：US10554483B2

公开(公告)日：2020-02-04

申请号：US15663233

申请日：2017-07-28

Applicant: Cisco Technology, Inc.

Inventor： Chandra Nagarajan ,  Kartik Mohanram ,  Sundar Iyer ,  Ramana Rao Kompella

IPC: G06F15/177 ,  H04L12/24 ,  H04L12/46 ,  H04L29/06

Abstract: Systems, methods, and computer-readable media for performing network assurance in a traditional network. In some examples, a system can collect respective sets of configurations programmed at network devices in a network and, based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration including virtual local area networks (VLANs), access control lists (ACLs) associated with the VLANs, subnets, and/or a topology. Based on the network-wide configuration of the network, the system can compare the ACLs for each of the VLANs to yield a VLAN consistency check, compare respective configurations of the subnets to yield a subnet consistency check, and perform a topology consistency check based on the topology. Based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, the system can determine whether the respective sets of configurations programmed at the network devices contain a configuration error.

公开(公告)号：US20200036591A1

公开(公告)日：2020-01-30

申请号：US16595152

申请日：2019-10-07

Applicant: Cisco Technology, Inc.

Inventor： Kartik Mohanram

IPC: H04L12/24 ,  H04L29/08

Abstract: Systems, methods, and computer-readable media for identifying conflict rules between models of network intents. A first and second model of network intents are obtained, the models describing the operation and communication between one or more network devices in a network. A logical exclusive disjunction between the first and second models is calculated over the space of possible packet conditions and network actions defined by models, without enumerating all possible packet conditions and network actions. It is detected whether the models are in conflict with respect to at least a first network device. If the models are in conflict, it is determined whether a given rule of a plurality of rules associated with the first model is a conflict rule. The determining comprises calculating the intersection between the given rule and the logical exclusive disjunction, wherein the given rule is a conflict rule if the calculated intersection is non-zero.

公开(公告)号：US20180351806A1

公开(公告)日：2018-12-06

申请号：US15663642

申请日：2017-07-28

Applicant: Cisco Technology, Inc.

Inventor： Kartik Mohanram ,  Chandra Nagarajan ,  Advait Dixit ,  Ramana Rao Kompella

IPC: H04L12/24

CPC classification number: H04L41/145 ,  H04L41/0823 ,  H04L41/0873 ,  H04L41/0893

Abstract: Systems, methods, and computer-readable media for intent specification checks. In one example, a system obtains, from one or more controllers in a software-defined network, a logical model of the software-defined network, the logical model including configurations of one or more objects in a hierarchical management information tree that defines manageable objects and object properties for the software-defined network. Based on the hierarchical management information tree, the system performs a policy analysis of configurations in the logical model and determines, based on the policy analysis, whether the configurations in the logical model contain one or more errors.

公开(公告)号：US11888603B2

公开(公告)日：2024-01-30

申请号：US17157957

申请日：2021-01-25

Applicant: Cisco Technology, Inc.

Inventor： Advait Dixit ,  Navneet Yadav ,  Navjyoti Sharma ,  Ramana Rao Kompella ,  Kartik Mohanram

IPC: H04L29/06 ,  H04L12/26 ,  G06F16/22 ,  H04L9/40 ,  H04L43/08 ,  G06F9/455

CPC classification number: H04L63/20 ,  G06F16/2246 ,  H04L43/08 ,  G06F9/45558 ,  G06F2009/45562 ,  G06F2009/45595 ,  H04L63/20 ,  G06F9/45558

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

公开(公告)号：US20230236912A1

公开(公告)日：2023-07-27

申请号：US18180087

申请日：2023-03-07

Applicant: Cisco Technology, Inc.

Inventor： John Thomas Monk ,  Kartik Mohanram ,  Ramana Rao Kompella ,  Sundar Iyer

IPC: G06F11/07 ,  H04L43/0823 ,  H04L43/065 ,  H04L41/0631

CPC classification number: G06F11/0712 ,  H04L41/065 ,  H04L41/0631 ,  H04L43/065 ,  H04L43/0823

Abstract: Systems, methods, and computer-readable media for fault code aggregation across application-centric dimensions. In an example embodiment, a system obtains respective fault codes corresponding to one or more network devices in a network and maps the one or more network devices and/or the respective fault codes to respective logical policy entities defined in a logical policy model of the network, to yield fault code mappings. The system aggregates the one or more of the fault code mappings along respective logical policy dimensions in the network to yield an aggregation of fault codes across respective logical policy dimensions and, based on the aggregation, presents, for each of the respective logical policy dimensions, one or more hardware-level errors along the respective logical policy dimension.