Abstract: Systems, methods, and computer-readable media relate to providing a network management service. A system is configured to request first network information from a first component of a network using a public IP address for the first component, wherein the first network information includes private IP addresses for a second component in the network and translate, based on a mapping information for a private IP address space to a public IP address space, the private IP address for a second component to a public IP address for the second component. The system is further configured to request second network information from the second component using the public IP address and provide a network management service for the network based on the second network information.

Abstract: Systems, methods, and computer-readable media for configuring and verifying compliance requirements in a network.

Abstract: Systems, methods, and computer-readable media relate to providing a network management service. A system is configured to request first network information from a first component of a network using a public IP address for the first component, wherein the first network information includes private IP addresses for a second component in the network and translate, based on a mapping information for a private IP address space to a public IP address space, the private IP address for a second component to a public IP address for the second component. The system is further configured to request second network information from the second component using the public IP address and provide a network management service for the network based on the second network information.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

Abstract: Systems, methods, and computer-readable media for emulating a state of a network environment for purposes of re-executing a network assurance appliance in the emulated state of the network environment. In some embodiments, a method can include receiving snapshot data for a network environment corresponding to a specific time in the network environment and including network events occurring in the network environment generated by a network assurance appliance. A state of the network environment at the specific time can be emulated using the snapshot data to create an emulated state of the network environment. Subsequently, the network assurance appliance can be re-executed in the emulated state of the network environment corresponding to the specific time and the network assurance appliance can be debugged outside of the network environment based on re-execution of the network assurance appliance in the emulated state of the network environment.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

Abstract: Systems, methods, and computer-readable media for localizing faults in a network policy are disclosed. In some examples, a system or method can obtain TCAM rules across a network and use the TCAM rules to perform an equivalency check between the logical model and the hardware model of the network policy. One or more risk models are annotated with output from the equivalency check and the risk models are used to identify a set of policy objects of the network policy that are likely responsible for the faults. The identified set of policy objects are correlated with various logs of the network. Based on the correlation, specific policy objects of the set of policy objects that are associated with physical-level causes of the fault.

Abstract: Systems, methods, and computer-readable media for emulating a state of a network environment for purposes of re-executing a network assurance appliance in the emulated state of the network environment. In some embodiments, a method can include receiving snapshot data for a network environment corresponding to a specific time in the network environment and including network events occurring in the network environment generated by a network assurance appliance. A state of the network environment at the specific time can be emulated using the snapshot data to create an emulated state of the network environment. Subsequently, the network assurance appliance can be re-executed in the emulated state of the network environment corresponding to the specific time and the network assurance appliance can be debugged outside of the network environment based on re-execution of the network assurance appliance in the emulated state of the network environment.

Abstract: Systems, methods, and computer-readable media for assurance of quality-of-service configurations in a network. In some examples, a system obtains a logical model of a software-defined network, the logical model including rules specified for the software-defined network, the logical model being based on a schema defining manageable objects and object properties for the software-defined network. The system also obtains, for each node in the software-defined network, a respective hardware model, the respective hardware model including rules rendered at the node based on a respective node-specific representation of the logical model. Based on the logical model and the respective hardware model, the system can perform an equivalency check between the rules in the logical model and the rules in the respective hardware model to determine whether the logical model and the respective hardware model contain configuration inconsistencies.

Abstract: Systems, methods, and computer-readable media for localizing faults in a network policy are disclosed. In some examples, a system or method can obtain TCAM rules across a network and use the TCAM rules to perform an equivalency check between the logical model and the hardware model of the network policy. One or more risk models are annotated with output from the equivalency check and the risk models are used to identify a set of policy objects of the network policy that are likely responsible for the faults. The identified set of policy objects are correlated with various logs of the network. Based on the correlation, specific policy objects of the set of policy objects that are associated with physical-level causes of the fault.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to query a node in the network fabric for a number of hardware level entries, stored in memory for the node, that are associated with a concrete level network rule. The network assurance appliance may identify a logical level network intent associated with the concrete level network rule, identify a logical level component of the logical level network intent, and attribute the number of hardware level entries to the logical level component.

Abstract: Systems, methods, and computer-readable media for localizing faults in a network policy are disclosed. In some examples, a system or method can obtain TCAM rules across a network and use the TCAM rules to perform an equivalency check between the logical model and the hardware model of the network policy. One or more risk models are annotated with output from the equivalency check and the risk models are used to identify a set of policy objects of the network policy that are likely responsible for the faults.

Abstract: Systems, methods, and computer-readable media for collecting node information from a fabric and generating models based on the node information. In some examples, a system can obtain, from one or more controllers in a software-defined network (SDN), a logical model of the SDN, the logical model containing objects configured for the SDN from a hierarchical management information tree (MIT) associated with the SDN and representing configurations of the objects, the hierarchical MIT defining manageable objects and object properties for the SDN, the objects corresponding to the manageable objects. The system can obtain a topological model of a fabric associated with the SDN and, based on the topological model, poll nodes in the fabric for respective configurations at the nodes. Based on the respective configurations, the system can generate a node-specific representation of the logical model, the node-specific representation projecting the logical model on each node.

Abstract: Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the implemented concrete level rules are not appropriately configured based on the comparison.

Abstract: Systems, methods, and computer-readable media for receiving an indication of an equivalence failure, the equivalence failure corresponding to one or more models of network intents. The indication of the equivalence failure is analyzed and one or more constituent intents that caused the equivalence failure are identified, wherein the one or more constituent intents are associated with a model of the one or more models of network intents. The granularity of the equivalence failure and the identified one or more constituent intents is determined, and an event for external consumption is generated, the event based at least in part on the equivalence failure, the granularity of the equivalence failure, and the identified one or more constituent intents.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to query a node in the network fabric for a number of hardware level entries, stored in memory for the node, that are associated with a concrete level network rule. The network assurance appliance may identify a logical level network intent associated with the concrete level network rule, identify a logical level component of the logical level network intent, and attribute the number of hardware level entries to the logical level component.

Abstract: In some examples, a system obtains a network logical model and, for each node in a network, a node-level logical, concrete, and hardware model. The system identifies a service function chain, and determines a respective set of service function chain rules. For each node, the system determines whether the respective set of service function chain rules is correctly captured in the node-level logical model and/or concrete model to yield a node containment check result. Based on a comparison of policy actions in the concrete model, hardware model, and at least one of the node-level logical model or network logical model, the system determines whether the respective set of service function chain rules is correctly rendered on each node to yield a node rendering check result. Based on the node containment check result and node rendering check result, the system determines whether the service function chain is correctly configured.