Abstract: Systems, methods, and computer-readable media analyzing memory usage in a network node. A network assurance appliance may be configured to determine a hit count for a concrete level rule implemented on a node and identify one or more components of a logical model, wherein each of the one or more components are associated with the concrete level rule. The network assurance appliance may attribute the hit count for the concrete level rule to each of the components of the logical model, determine a number of hardware level entries associated with the each of the one or more components, and generate a report comprising the one or more components of the logical model, the hit count attributed to each of the one or more components of the logical model, and the number of hardware level entries associated with the one or more components of the logical model.

Abstract: Systems, methods, and computer-readable media for handling failure scenarios during data collection and analysis for assurance. In some examples, a system can obtain a logical model of a network and, based on the logical model, identify a plurality of controllers on the network and a plurality of nodes on a fabric of the network. The system can probe the plurality of controllers and plurality of nodes for respective status information, including respective reachability information, respective login diagnostics information, and/or respective software information. Based on the respective status information, the system can determine conditions at the plurality of controllers and the plurality of nodes and define one or more assurance operations based on the conditions at the plurality of controllers and the plurality of nodes. The system can then perform the one or more assurance operations.

Abstract: Systems, methods, and computer-readable media for collecting node information from a fabric and generating models based on the node information. In some examples, a system can obtain, from one or more controllers in a software-defined network (SDN), a logical model of the SDN, the logical model containing objects configured for the SDN from a hierarchical management information tree (MIT) associated with the SDN and representing configurations of the objects, the hierarchical MIT defining manageable objects and object properties for the SDN, the objects corresponding to the manageable objects. The system can obtain a topological model of a fabric associated with the SDN and, based on the topological model, poll nodes in the fabric for respective configurations at the nodes. Based on the respective configurations, the system can generate a node-specific representation of the logical model, the node-specific representation projecting the logical model on each node.

Abstract: Systems, methods, and computer-readable media for localizing faults in a network policy are disclosed. In some examples, a system or method can obtain TCAM rules across a network and use the TCAM rules to perform an equivalency check between the logical model and the hardware model of the network policy. One or more risk models are annotated with output from the equivalency check and the risk models are used to identify a set of policy objects of the network policy that are likely responsible for the faults. The identified set of policy objects are correlated with various logs of the network. Based on the correlation, specific policy objects of the set of policy objects that are associated with physical-level causes of the fault.

Abstract: Systems, methods, and computer-readable media for performing semantic analysis to identify shadowing events. One or more models of network intents, based at least in part on a priority-ordered listing of rules representing network intents, is received. Each rule comprises a Boolean function of one or more packet characteristics and network fabric conditions, and a corresponding network action. For each given rule of the priority-ordered listing of rules, partial and complete shadowing events are detected based on semantic analysis. The semantic analysis comprises calculating an inverse set that comprises the inverse of the set comprising all rules with a higher or equal priority to the given rule, and then calculating a shadowing parameter that comprises the intersection between the inverse set and the given rule. If the shadowing parameter is equal to zero, a complete shadowing event is detected.

Abstract: Systems, methods, and computer-readable media for localizing faults in a network policy are disclosed. In some examples, a system or method can obtain TCAM rules across a network and use the TCAM rules to perform an equivalency check between the logical model and the hardware model of the network policy. One or more risk models are annotated with output from the equivalency check and the risk models are used to identify a set of policy objects of the network policy that are likely responsible for the faults.

Abstract: Systems, methods, and computer-readable media for performing network assurance in a traditional network. In some examples, a system can collect respective sets of configurations programmed at network devices in a network and, based on the respective sets of configurations, determine a network-wide configuration of the network, the network-wide configuration including virtual local area networks (VLANs), access control lists (ACLs) associated with the VLANs, subnets, and/or a topology. Based on the network-wide configuration of the network, the system can compare the ACLs for each of the VLANs to yield a VLAN consistency check, compare respective configurations of the subnets to yield a subnet consistency check, and perform a topology consistency check based on the topology. Based on the VLAN consistency check, the subnet consistency check, and the topology consistency check, the system can determine whether the respective sets of configurations programmed at the network devices contain a configuration error.

Abstract: Systems, methods, and computer-readable media for intent specification checks. In one example, a system obtains, from one or more controllers in a software-defined network, a logical model of the software-defined network, the logical model including configurations of one or more objects in a hierarchical management information tree that defines manageable objects and object properties for the software-defined network. Based on the hierarchical management information tree, the system performs a policy analysis of configurations in the logical model and determines, based on the policy analysis, whether the configurations in the logical model contain one or more errors.

Abstract: Systems, methods, and computer-readable media for identifying intra-priority class shadowed rules. A network intent model that is based at least in part on a priority-ordered listing of rules representing network intents is received, wherein each rule comprises a Boolean function of one or more packet characteristics and a corresponding network action. Each rule is sorted into a priority class, and for each priority class, it is determined whether each of its constituent rules are intra-priority class shadowed, wherein an intra-priority class shadowed rule can be constructed from the set comprising the remaining rules of the given priority class, and a non intra-priority class shadowed rule cannot be constructed from the set comprising the remaining rules of the given priority class.

Abstract: Systems, methods, and computer-readable media for assurance of quality-of-service configurations in a network. In some examples, a system obtains a logical model of a software-defined network, the logical model including rules specified for the software-defined network, the logical model being based on a schema defining manageable objects and object properties for the software-defined network. The system also obtains, for each node in the software-defined network, a respective hardware model, the respective hardware model including rules rendered at the node based on a respective node-specific representation of the logical model. Based on the logical model and the respective hardware model, the system can perform an equivalency check between the rules in the logical model and the rules in the respective hardware model to determine whether the logical model and the respective hardware model contain configuration inconsistencies.

Abstract: Systems, methods, and computer-readable media for static network policy analysis for a network. In one example, a system obtains a logical model based on configuration data stored in a controller on a software-defined network, the logical model including a declarative representation of respective configurations of objects in the software-defined network, the objects including one or more endpoint groups, bridge domains, contexts, or tenants. The system defines rules representing respective conditions of the objects according to a specification corresponding to the software-defined network, and determines whether the respective configuration of each of the objects in the logical model violates one or more of the rules associated with that object. When the respective configuration of an object in the logical model violates one or more of the rules, the system detects an error in the respective configuration associated with that object.

Abstract: In some examples, a system obtains a network logical model and, for each node in a network, a node-level logical, concrete, and hardware model. The system identifies a service function chain, and determines a respective set of service function chain rules. For each node, the system determines whether the respective set of service function chain rules is correctly captured in the node-level logical model and/or concrete model to yield a node containment check result. Based on a comparison of policy actions in the concrete model, hardware model, and at least one of the node-level logical model or network logical model, the system determines whether the respective set of service function chain rules is correctly rendered on each node to yield a node rendering check result. Based on the node containment check result and node rendering check result, the system determines whether the service function chain is correctly configured.

Abstract: A method and apparatus for automatically localizing failures in a network. Failures can be localized by receiving an observation, querying a database for a plurality of models of risks and calculating a hypothesis from the plurality of models of risks that explains the observation. The observation comprises link failures reported by a plurality of data sources. The plurality of models or risks represents links that would likely be impacted by the failure of each component within the network stored in a Shared Risk Link Group (SRLG) database. A Spatial Correlation Engine (SCORE) applies an algorithm to calculate a hypothesis from the plurality of models of risks that explains the observation, thereby, automatically localizing failures in a network.