Network-wide verification of invariants
US-9225601-B2 · Dec 29, 2015 · US
Identifying mismatches between a logical model and node implementation
US10554493B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10554493-B2 |
| Application number | US-201715661899-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 27, 2017 |
| Priority date | Jun 19, 2017 |
| Publication date | Feb 4, 2020 |
| Grant date | Feb 4, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the implemented concrete level rules are not appropriately configured based on the comparison.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: obtaining reference concrete level rules for a node in a network, comprising: receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network; creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node; obtaining, from the node in the network, implemented concrete level rules for the node; comparing the reference concrete level rules with the implemented concrete level rules; and determining that the implemented concrete level rules are not appropriately configured based on the comparing; wherein: concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow; the reference concrete level rules are the correct allow and deny rules of the node; and the implemented concrete level rules are the actual allow and deny rules being executed by the node. 2. The computer-implemented method of claim 1 , further comprising: obtaining a logical model for the network from a controller for the network; generating, based on the logical model for the network, a logical model for the node; and generating, based on the logical model for the node the reference concrete level rules for the node. 3. The computer-implemented method of claim 1 , further comprising querying the node in the network for the implemented concrete level rules for the node. 4. The computer-implemented method of claim 1 , further comprising comparing a number of reference concrete level rules with a number of implemented concrete level rules. 5. The computer-implemented method of claim 1 , wherein the node is a leaf node. 6. The computer-implemented method of claim 1 , wherein the reference concrete level rules are access control rules. 7. The computer-implemented method of claim 1 , further comprising notifying a network administrator that the implemented concrete level rules are not appropriately configured. 8. The computer-implemented method of claim 1 , further comprising recording the occurrence of a misconfiguration of the implemented concrete level rules along with a time stamp. 9. The computer-implemented method of claim 1 , further comprising restarting the node. 10. The computer-implemented method of claim 1 , further comprising: obtaining, from a controller, reference rule identifiers for the reference concrete level rules for the node in the network; obtaining, from the node, implemented rule identifiers associated with hardware level entries stored on the node; and determining that the hardware level entries stored on the node are not appropriately configured based on the reference rule identifiers and the implemented rule identifiers. 11. A system comprising: one or more processors; and at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the system to perform operations comprising: obtaining reference concrete level rules for a node in a network, comprising: receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network; creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node; obtaining, from the node in the network, implemented concrete level rules for the node; comparing the reference concrete level rules with the implemented concrete level rules; and determining that the implemented concrete level rules are not appropriately configured based on the comparing; wherein: concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow; the reference concrete level rules are the correct allow and deny rules of the node; and the implemented concrete level rules are the actual allow and deny rules being executed by the node. 12. The system of claim 11 , further comprising: obtaining a logical model for the network from a controller for the network; generating, based on the logical model for the network, a logical model for the node; and generating, based on the logical model for the node the reference concrete level rules for the node. 13. The system of claim 11 , further comprising querying the node in the network for the implemented concrete level rules for the node. 14. The system of claim 11 , further comprising comparing a number of reference concrete level rules with a number of implemented concrete level rules. 15. The system of claim 11 , wherein the node is a leaf node. 16. A non-transitory computer-readable storage medium having stored therein instructions which, when executed, cause a system to perform operations comprising: obtaining reference concrete level rules for a node in a network, comprising: receiving a global logical model containing instructions on how endpoints connected to the network communicate within the network; creating the reference concrete level rules from the global logical model, the reference concrete rules being specific to operability of the node; obtaining, from the node in the network, implemented concrete level rules for the node; comparing the reference concrete level rules with the implemented concrete level rules; and determining that the implemented concrete level rules are not appropriately configured based on the comparing; wherein: concrete rules are (a) allow rules that define conditions to allow data flow and (b) deny rules that define conditions to deny data flow; the reference concrete level rules are the correct allow and deny rules of the node; and the implemented concrete level rules are the actual allow and deny rules being executed by the node. 17. The medium of claim 16 , further comprising: obtaining a logical model for the network from a controller for the network; generating, based on the logical model for the network, a logical model for the node; and generating, based on the logical model for the node the reference concrete level rules for the node. 18. The medium of claim 16 , further comprising querying the node in the network for the implemented concrete level rules for the node. 19. The medium of claim 16 , further comprising comparing a number of reference concrete level rules with a number of implemented concrete level rules. 20. The medium of claim 16 , wherein the node is a leaf node.
Assignees
Inventors
Classifications
by keeping history of different configuration generations or by rolling back to previous configuration versions · CPC title
by actively collecting configuration information or by backing up configuration information · CPC title
Rule management · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Access control lists [ACL] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10554493B2 cover?
- Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/0869. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 04 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).