Abstract: Systems, methods, and computer-readable media for identifying intra-priority class shadowed rules. A network intent model that is based at least in part on a priority-ordered listing of rules representing network intents is received, wherein each rule comprises a Boolean function of one or more packet characteristics and a corresponding network action. Each rule is sorted into a priority class, and for each priority class, it is determined whether each of its constituent rules are intra-priority class shadowed, wherein an intra-priority class shadowed rule can be constructed from the set comprising the remaining rules of the given priority class, and a non intra-priority class shadowed rule cannot be constructed from the set comprising the remaining rules of the given priority class.

Abstract: Systems, methods, and computer-readable media for discovering a network's topology and health. In some examples, a system can obtain, from at least one of a plurality of controllers on a network, a logical model of the network, the logical model including configurations of one or more objects defined for the network. Based on the logical model, the system can identify a respective location of the plurality of controllers in the network and a plurality of nodes in a fabric of the network. Based on the respective location of the plurality of controllers and plurality of nodes, the system can poll the plurality of controllers and plurality of nodes for respective status information, and determine a health and topology of the network based on the logical model, the respective location, and respective status information.

Abstract: Systems, methods, and computer-readable media for handling failure scenarios during data collection and analysis for assurance. In some examples, a system can obtain a logical model of a network and, based on the logical model, identify a plurality of controllers on the network and a plurality of nodes on a fabric of the network. The system can probe the plurality of controllers and plurality of nodes for respective status information, including respective reachability information, respective login diagnostics information, and/or respective software information. Based on the respective status information, the system can determine conditions at the plurality of controllers and the plurality of nodes and define one or more assurance operations based on the conditions at the plurality of controllers and the plurality of nodes. The system can then perform the one or more assurance operations.

Abstract: Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

Abstract: Systems, methods, and computer-readable media for performing network assurance in a traditional network. In some examples, a system can collect respective sets of configurations programmed at network devices in a network and, based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration including virtual local area networks (VLANs), access control lists (ACLs) associated with the VLANs, subnets, and/or a topology. Based on the network-wide configuration of the network, the system can compare the ACLs for each of the VLANs to yield a VLAN consistency check, compare respective configurations of the subnets to yield a subnet consistency check, and perform a topology consistency check based on the topology. Based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, the system can determine whether the respective sets of configurations programmed at the network devices contain a configuration error.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the implemented concrete level rules are not appropriately configured based on the comparison.

Abstract: Systems, methods, and computer-readable media for receiving an indication of an equivalence failure, the equivalence failure corresponding to one or more models of network intents. The indication of the equivalence failure is analyzed and one or more constituent intents that caused the equivalence failure are identified, wherein the one or more constituent intents are associated with a model of the one or more models of network intents. The granularity of the equivalence failure and the identified one or more constituent intents is determined, and an event for external consumption is generated, the event based at least in part on the equivalence failure, the granularity of the equivalence failure, and the identified one or more constituent intents.

Abstract: Systems, methods, and computer-readable media relate to providing a network management service. A system is configured to request first network information from a first component of a network using a public IP address for the first component, wherein the first network information includes private IP addresses for a second component in the network and translate, based on a mapping information for a private IP address space to a public IP address space, the private IP address for a second component to a public IP address for the second component. The system is further configured to request second network information from the second component using the public IP address and provide a network management service for the network based on the second network information.

Abstract: Systems, methods, and computer-readable media for configuring and verifying compliance requirements in a network.

Abstract: Systems, methods, and computer-readable media for assurance of rules in a network. An example method can include creating a compliance requirement including a first endpoint group (EPG) selector, a second EPG selector, a traffic selector, and a communication operator, the first and second EPG selectors representing sets of EPGs and the communication operator defining a communication condition for traffic associated with the first and second EPG selectors and the traffic selector. The method can include creating, for each distinct pair of EPGs, a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; creating a second respective data structure representing a logical model of the network; determining whether the first respective data structure is contained in the second respective data structure to yield a containment check; and determining whether policies on the network comply with the compliance requirement based on the containment check.

Abstract: In some examples, a system creates a requirement including EPG selectors representing EPG pairs, a traffic selector, and a communication operator; determines that EPGs in distinct pairs are associated with different network contexts and, for each pair, which network context(s) contains associated policies; creates first data representing the pair, operator, and traffic selector; when only one network context contains the associated policies, creates second data representing a network model portion associated with the only network context and determines whether the first data is contained in the second data to yield a first check; when both network contexts contain the associated policies, also creates third data representing a network model portion associated with a second network context, and determines whether the first data is contained in the second and/or third data to yield a second check; and determines whether policies for the pairs comply with the requirement based on the checks.

Abstract: Systems, methods, and computer-readable media for performing semantic analysis to identify shadowing events. One or more models of network intents, based at least in part on a priority-ordered listing of rules representing network intents, is received. Each rule comprises a Boolean function of one or more packet characteristics and network fabric conditions, and a corresponding network action. For each given rule of the priority-ordered listing of rules, partial and complete shadowing events are detected based on semantic analysis. The semantic analysis comprises calculating an inverse set that comprises the inverse of the set comprising all rules with a higher or equal priority to the given rule, and then calculating a shadowing parameter that comprises the intersection between the inverse set and the given rule. If the shadowing parameter is equal to zero, a complete shadowing event is detected.

Abstract: Systems, methods, and computer-readable media for discovering a network's topology and health. In some examples, a system can obtain, from at least one of a plurality of controllers on a network, a logical model of the network, the logical model including configurations of one or more objects defined for the network. Based on the logical model, the system can identify a respective location of the plurality of controllers in the network and a plurality of nodes in a fabric of the network. Based on the respective location of the plurality of controllers and plurality of nodes, the system can poll the plurality of controllers and plurality of nodes for respective status information, and determine a health and topology of the network based on the logical model, the respective location, and respective status information.

Abstract: Systems, methods, and computer-readable media for emulating a state of a network environment for purposes of re-executing a network assurance appliance in the emulated state of the network environment. In some embodiments, a method can include receiving snapshot data for a network environment corresponding to a specific time in the network environment and including network events occurring in the network environment generated by a network assurance appliance. A state of the network environment at the specific time can be emulated using the snapshot data to create an emulated state of the network environment. Subsequently, the network assurance appliance can be re-executed in the emulated state of the network environment corresponding to the specific time and the network assurance appliance can be debugged outside of the network environment based on re-execution of the network assurance appliance in the emulated state of the network environment.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to query a node in the network fabric for a number of hardware level entries, stored in memory for the node, that are associated with a concrete level network rule. The network assurance appliance may identify a logical level network intent associated with the concrete level network rule, identify a logical level component of the logical level network intent, and attribute the number of hardware level entries to the logical level component.

Abstract: Systems, methods, and computer-readable media for receiving an indication of an equivalence failure, the equivalence failure corresponding to one or more models of network intents. The indication of the equivalence failure is analyzed and one or more constituent intents that caused the equivalence failure are identified, wherein the one or more constituent intents are associated with a model of the one or more models of network intents. The granularity of the equivalence failure and the identified one or more constituent intents is determined, and an event for external consumption is generated, the event based at least in part on the equivalence failure, the granularity of the equivalence failure, and the identified one or more constituent intents.

Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to obtain reference concrete level rules for a node in the network, obtain implemented concrete level rules for the node from the node in the network, compare the reference concrete level rules with the implemented concrete level rules, and determining that the implemented concrete level rules are not appropriately configured based on the comparison.

Abstract: Systems, methods, and computer-readable media for receiving one or more models of network intents, comprising a plurality of contracts between providers and consumers, each contract containing entries with priority values. Each contract is flattened into a listing of rules and a new priority value is calculated. The listing of rules encodes the implementation of the contract between the providers and the consumers. Each entry is iterated over and added to a listing of entries if it is not already present. For each rule, the one or more entries associated with the contract from which the rule was flattened are identified, and for each given entry a flat rule comprising the combination of the rule and the entry is generated, wherein a flattened priority is calculated based at least in part on the priority value of the given one of given entry and the priority value of the rule.

Abstract: Systems, methods, and computer-readable media for fault code aggregation across application-centric dimensions. In an example embodiment, a system obtains respective fault codes corresponding to one or more network devices in a network and maps the one or more network devices and/or the respective fault codes to respective logical policy entities defined in a logical policy model of the network, to yield fault code mappings. The system aggregates the one or more of the fault code mappings along respective logical policy dimensions in the network to yield an aggregation of fault codes across respective logical policy dimensions and, based on the aggregation, presents, for each of the respective logical policy dimensions, one or more hardware-level errors along the respective logical policy dimension.

Abstract: Systems, methods, and computer-readable media for discovering a network's topology and health. In some examples, a system can obtain, from at least one of a plurality of controllers on a network, a logical model of the network, the logical model including configurations of one or more objects defined for the network. Based on the logical model, the system can identify a respective location of the plurality of controllers in the network and a plurality of nodes in a fabric of the network. Based on the respective location of the plurality of controllers and plurality of nodes, the system can poll the plurality of controllers and plurality of nodes for respective status information, and determine a health and topology of the network based on the logical model, the respective location, and respective status information.