Controlled micro fault injection on a distributed appliance

Information

  • Patent Grant
  • 11469986
  • Patent Number
    11,469,986
  • Date Filed
    Friday, September 22, 2017
    7 years ago
  • Date Issued
    Tuesday, October 11, 2022
    2 years ago
Abstract
Aspects of the technology provide methods for simulating a failure in a tenant network. In some aspects, a monitoring appliance of the disclosed technology can be configured to carry out operations for receiving packets at a virtual device in the monitoring appliance, from a corresponding network device in the tenant network, and instantiating a firewall at the virtual device, wherein the firewall is configured to selectively block traffic routed from the network device to the virtual device in the monitoring appliance. The monitoring appliance can simulate failure of the network device by blocking traffic from the network device to the virtual device using the firewall, and analyze the tenant network to determine a predicted impact a failure of the network device would have on the tenant network. Systems and machine-readable media are also provided.
Description
BACKGROUND
1. Technical Field

The present technology pertains to network configuration and troubleshooting, and more specifically to systems and methods for fault testing a tenant network using a monitoring appliance configured to simulate network failure events.


2. Introduction

Network configurations for large data center networks are often specified at a centralized controller. The controller can realize the intent in the network by programming switches and routers in the data center according to the specified network configurations. Network configurations are inherently very complex, and involve low level as well as high level configurations of several layers of the network such as access policies, forwarding policies, routing policies, security policies, QoS policies, etc. Given such complexity, the network configuration process is error prone.





BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and other advantages and features of the disclosure can be obtained, a more particular description of the principles briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only exemplary embodiments of the disclosure and are not therefore to be considered to be limiting of its scope, the principles herein are described and explained with additional specificity and detail through the use of the accompanying drawings in which:



FIG. 1 illustrates an example network environment in which some aspects of the technology can be implemented.



FIG. 2A illustrates an example network assurance appliance, according to some aspects of the technology.



FIG. 2B illustrates an example of a connection between an assurance appliance and devices in a tenant network according to some aspects of the technology.



FIG. 3 illustrates steps of an example process for simulating network error events at a tenant network, according to some aspects of the technology.



FIG. 4 illustrates an example network device in accordance with various embodiments.



FIG. 5 illustrates an example computing device in accordance with various embodiments.





DETAILED DESCRIPTION

The detailed description set forth below is intended as a description of various configurations of the disclosed technology and is not intended to represent the only configurations in which the technology can be practiced. The appended drawings are incorporated herein and constitute a part of the detailed description. The detailed description includes specific details for the purpose of providing a more thorough understanding of the subject technology. However, it will be clear and apparent that the subject technology is not limited to the specific details set forth herein and may be practiced without these details. In some instances, structures and components are shown in block diagram form in order to avoid obscuring the concepts of the subject technology.


Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or can be learned by practice of the herein disclosed principles. The features and advantages of the disclosure can be realized and obtained by means of the instruments and combinations particularly pointed out in the appended claims. These and other features of the disclosure will become more fully apparent from the following description and appended claims, or can be learned by the practice of the principles set forth herein.


Overview:


In some computer network implementations, one or more network systems (e.g., “network appliances” or “appliances”) can be configured to be connected to and monitor the network fabric. Such deployments can be used to help troubleshoot customer (e.g. tenant) networking issues, to ensure conformity with agreed-upon networking policies such as service level agreements (SLAs), and to ensure an overall high quality of tenant experience.


In many network appliance deployments it may be desirable to test various portions of the network fabric and/or the monitoring appliance in order to proactively diagnose potential network issues. In conventional deployments, a network administrator may test the robustness of a particular network configuration by interrupting various services (e.g., virtual machines, containers, or network operators), and systems (e.g., servers, routers, and switches, etc.). However, the interruption of certain systems and services can be disruptive to active network users.


Description:


Aspects of the disclosed technology address the foregoing problems by providing a way to simulate specific network failure events, without the need for killing network components or suspending services in the tenant network. As such, implementations of the technology facilitate the convenient ability to “stress test” different portions of a network fabric, without degrading services to active users.


In some implementations, firewalls can be paired with one or more virtual machines (VMs) and/or network containers in the monitoring appliance. Using the firewalls, a network administrator can block specific ports/services to simulate the interruption of device or service availability in the network fabric (e.g., spine or leaf switches) Similarly, firewall configurations can be used to simulate the interruption of communication between operators, databases, and/or other VM's that are part of the network appliance.


The disclosure now turns to FIG. 1, which illustrates a diagram of an example network environment 100, such as a data center. Network 100 can include a Fabric 120 which can represent the physical layer or infrastructure (e.g., underlay) of the network 100. Fabric 120 can include Spines 102 (e.g., spine routers or switches) and Leafs 104 (e.g., leaf routers or switches) which can be interconnected for routing traffic in the Fabric 120. The Spines 102 can interconnect the Leafs 104 in the Fabric 120, and the Leafs 104 can connect the Fabric 120 to the overlay portion of the network 100, which can include application services, servers, virtual machines, containers, endpoints, etc. Thus, network connectivity in the Fabric 120 can flow from Spines 102 to Leafs 104, and vice versa. Leafs 104 can be, for example, top-of-rack (“ToR”) switches, aggregation switches, gateways, ingress and/or egress switches, provider edge devices, and/or any other type of routing or switching device.


Leafs 104 can be responsible for routing and/or bridging tenant or customer packets and applying network policies. Network policies can be driven by the one or more controllers 116 and/or the Leafs 104. The Leafs 104 can connect Servers 106, Hypervisors 108, Virtual Machines (VMs) 110, Applications 112, Endpoints 118, External Routers 114, etc., with the Fabric 120. For example, Leafs 104 can encapsulate and decapsulate packets to and from Servers 106 in order to enable communications throughout the network 100, including the Fabric 120. Leafs 104 can also provide any other devices, services, tenants, or workloads with access to the Fabric 120.


Applications 112 can include software applications, services, operators, containers, appliances, functions, service chains, etc. For example, Applications 112 can include a firewall, a database, a CDN server, an IDS/IPS, a deep packet inspection service, a message router, a virtual switch, etc. VMs 110 can be virtual machines hosted by Hypervisors 108 running on Servers 106. VMs 110 can include workloads running on a guest operating system on a respective server. Hypervisors 108 can provide a layer of software, firmware, and/or hardware that creates and runs the VMs 110. Hypervisors 108 can allow VMs 110 to share hardware resources on Servers 106, and the hardware resources on Servers 106 to appear as multiple, separate hardware platforms. Moreover, Hypervisors 108 on Servers 106 can each host one or more VMs 110.


In some cases, VMs 110 and/or Hypervisors 108 can be migrated to other Servers 106. Servers 106 can similarly be migrated to other locations in the network environment 100. For example, a server connected to a specific leaf can be changed to connect to a different or additional leaf. Such configuration or deployment changes can involve modifications to settings and policies that are applied to the resources being migrated.


In some cases, one or more Servers 106, Hypervisors 108, and/or VMs 110 can represent a tenant or customer space. Tenant space can include workloads, services, applications, devices, and/or resources that are associated with one or more clients or subscribers. Accordingly, traffic in the network environment 100 can be routed based on specific tenant policies, spaces, agreements, configurations, etc. Moreover, addressing can vary between one or more tenants. In some configurations, tenant spaces can be divided into logical segments and/or networks and separated from logical segments and/or networks associated with other tenants. Addressing, policy, and configuration information between tenants can be managed by one or more controllers 116.


Policies, configurations, settings, etc., in the network can be implemented at the application level, the physical level, and/or both. For example, one or more controllers 116 can define a policy model at the application level which defines policies and other settings for groups of applications or services, such as endpoint groups. In some addition, the Leafs 104, as well as other physical devices such as physical servers or Spines 102, can apply specific policies to traffic. For example, Leafs 104 can apply specific policies or contracts to traffic based on tags or characteristics of the traffic, such as protocols associated with the traffic, applications or endpoint groups associated with the traffic, network address information associated with the traffic, etc.


In some examples, network 100 can be configured according to a particular software-defined network (SDN) solution. The network 100 can deploy one or more SDN solutions, such as CISCO ACI or VMWARE NSX solutions. These example SDN solutions are briefly described below.


ACI is an example SDN solution which can be implemented in the network 100. ACI can provide an application policy-based solution through scalable distributed enforcement. ACI supports integration of physical and virtual environments under a declarative policy model for networks, servers, services, security, requirements, etc. For example, the ACI framework implements End Point Groups (EPGs), which can include a collection of endpoints or applications that share common policy requirements, such as security, QoS, services, etc. Endpoints can be virtual/logical or physical devices, such as VMs and bare-metal physical servers that are connected to the network 100. Endpoints can have one or more attributes such as VM name, guest OS name, a security tag, etc. Application policies can be applied between EPGs, instead of endpoints directly, in the form of contracts. The Leafs 104 can classify incoming traffic into different EPGs. The classification can be based on, for example, a network segment identifier such as a VLAN ID, VXLAN Network Identifier (VNID), NVGRE Virtual Subnet Identifier (VSID), MAC address, IP address, etc.


In some cases, classification in the ACI infrastructure can be implemented by Application Virtual Switches (AVS), which can run on a host, and physical hosts. For example, an AVS can classify traffic based on specified attributes, and tag packets of different attribute EPGs with different identifiers, such as network segment identifiers (e.g., VLAN ID). Finally, Leafs 104 can tie packets with their attribute EPGs based on their identifiers and enforce policies, which can be implemented and/or managed by one or more controllers 116, such as an application policy infrastructure controller (APIC). The Leaf 104 can classify to which EPG the traffic from a host belong and enforce policies accordingly.


Another example SDN solution is based on VMWare NSX. With VMWare NSX, hosts can run a distributed firewall (DFW) which can classify and process traffic. Consider a case where three types of VMs, namely, application, database and web VMs, are put into a single layer-2 network segment. Traffic protection can be provided within the network segment based on the VM type. For example, HTTP traffic can be allowed among web VMs, and disallowed between a web VM and an application or database VM. To classify traffic and implement policies, VMWARE NSX can implement security groups, which can be used to group the specific VMs (e.g., web VMs, application VMs, database VMs). DFW rules can be configured to implement policies for the specific security groups. To illustrate, from our previous example, DFW rules can be configured to block HTTP traffic between web, application, and database security groups.


Network 100 may deploy different hosts via the Leafs 104, Servers 106, Hypervisors 108, VMs 110, Applications 112, Controllers 116, and/or Endpoints 118, such as VMware ESXi hosts, Windows Hyper-V hosts, bare metal physical hosts, etc. The network 100 may interoperate with a wide variety of Hypervisors 108, Servers 106 (e.g., physical and/or virtual servers), SDN orchestration platforms, etc. The network 100 may implement a declarative model to allow its integration with application design and holistic network policy.


One or more controllers 116 can provide centralized access to fabric information, application configuration, resource configuration, application-level policy modeling for a software-defined network (SDN) infrastructure, integration with management systems or servers, etc. The one or more controllers 116 can form a control plane that interfaces with an application plane via northbound APIs and a data plane via southbound APIs. In some examples, the one or more controllers 116 can include SDN controllers or managers, such as an application policy infrastructure controller (APIC) or a vCenter NSX Manager.


As previously noted, controllers 116 can define and manage application-level model(s) for policies in the network 100. In some cases, application or device policies can also be managed and/or defined by other components in the network. For example, a hypervisor or virtual appliance, such as a VM or container, can run a server or management tool to manage software and services in the network 100, including policies and settings for virtual appliances.


Network 100 can include one or more different types of SDN solutions, hosts, etc. For the sake of clarity and explanation purposes, the examples in the following disclosure will be described in the context of an ACI solution implemented in the network 100, and the one or more controllers 116 may be interchangeably referenced as APIC controllers. However, it should be noted that the technologies and concepts herein are not limited to ACI architectures and may be implemented in other architectures and configurations, including other SDN solutions as well as other types of networks which may not deploy an SDN solution.


Further, as referenced herein, the term “hosts” can refer to servers 106 (e.g., physical or logical), Hypervisors 108, VMs 110, containers (e.g., Applications 112), EPs 118, etc., and can run or include any type of server or application solution. Non-limiting examples of “hosts” can include DVS virtual servers, vCenter and NSX Managers, bare metal physical hosts, AVS hosts, Hyper-V hosts, VMs, Docker Containers, Virtual Routers/Switches (e.g., VPP), etc.



FIG. 2A illustrates a diagram of an example Assurance Appliance 200 for network assurance. In this example, Appliance 200 can include k VMs 110 operating in cluster mode. VMs are used in this example for explanation purposes. However, it should be understood that other configurations are also contemplated herein, such as use of containers, bare metal devices, Endpoints 122, or any other physical or logical systems. Moreover, while FIG. 2A illustrates a cluster mode configuration, other configurations are also contemplated herein, such as a single mode configuration (e.g., single VM, container, or server) or a service chain for example.


Appliance 200 can run on one or more Servers 106, VMs 110, Hypervisors 108, EPs 122, Leafs 104, Controllers 116, or any other system or resource. For example, Assurance Appliance 200 can be a logical service or application running on one or more VMs 110 in Network Environment 100.


Appliance 200 can include Data Framework 208, which can be based on, for example, APACHE APEX and HADOOP. In some cases, assurance checks can be written as individual operators that reside in Data Framework 208. This enables a natively horizontal scale-out architecture that can scale to arbitrary number of switches in Fabric 120 (e.g., ACI fabric).


Appliance 200 can poll Fabric 120 at a configurable periodicity (e.g., an epoch). The analysis workflow can be setup as a DAG (Directed Acyclic Graph) of Operators 210, where data flows from one operator to another and eventually results are generated and persisted to Database 202 for each interval (e.g., each epoch).


The north-tier implements API Server (e.g., APACHE Tomcat and Spring framework) 204 and Web Server 206. A graphical user interface (GUI) interacts via the APIs exposed to the customer. These APIs can also be used by the customer to collect data from Assurance Appliance 200 for further integration into other tools.


Operators 210 in Data Framework 208 (e.g., APEX/Hadoop) can together support assurance operations. Below are non-limiting examples of assurance operations that can be performed by Assurance Appliance 200 via Operators 210.


Security Policy Adherence:


Assurance Appliance 200 can check to make sure the configurations or specification from L_Model 270A, which may reflect the user's intent for the network, including for example the security policies and customer-configured contracts, are correctly implemented and/or rendered in Li_Model 272, Ci_ Model 274, and Hi_ Model 276, and thus properly implemented and rendered by the fabric members (e.g., Leafs 104), and report any errors, contract violations, or irregularities found.


Static Policy Analysis:


Assurance Appliance 200 can check for issues in the specification of the user's intent or intents (e.g., identify contradictory or conflicting policies in L_Model 270A).


TCAM Utilization:


TCAM is a scarce resource in the fabric (e.g., Fabric 120). However, Assurance Appliance 200 can analyze the TCAM utilization by the network data (e.g., Longest Prefix Match (LPM) tables, routing tables, VLAN tables, BGP updates, etc.), Contracts, Logical Groups 118 (e.g., EPGs), Tenants, Spines 102, Leafs 104, and other dimensions in Network Environment 100 and/or objects in MIM 200, to provide a network operator or user visibility into the utilization of this scarce resource. This can greatly help for planning and other optimization purposes.


Endpoint Checks:


Assurance Appliance 200 can validate that the fabric (e.g. fabric 120) has no inconsistencies in the Endpoint information registered (e.g., two leafs announcing the same endpoint, duplicate subnets, etc.), among other such checks.


Tenant Routing/Forwarding Checks:


Assurance Appliance 200 can validate that BDs, VRFs, subnets (both internal and external), VLANs, contracts, filters, applications, EPGs, etc., are correctly programmed.


Infrastructure Routing:


Assurance Appliance 200 can validate that infrastructure routing (e.g., IS-IS protocol) has no convergence issues leading to black holes, loops, flaps, and other problems.


MP-BGP Route Reflection Checks:


The network fabric (e.g., Fabric 120) can interface with other external networks and provide connectivity to them via one or more protocols, such as Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), etc. The learned routes are advertised within the network fabric via, for example, MP-BGP. These checks can ensure that a route reflection service via, for example, MP-BGP (e.g., from Border Leaf) does not have health issues.


Logical Lint and Real-Time Change Analysis:


Assurance Appliance 200 can validate rules in the specification of the network (e.g., L_Model 270A) are complete and do not have inconsistencies or other problems. MOs in the MIM 200 can be checked by Assurance Appliance 200 through syntactic and semantic checks performed on L_Model 270A and/or the associated configurations of the MOs in MIM 200. Assurance Appliance 200 can also verify that unnecessary, stale, unused or redundant configurations, such as contracts, are removed.



FIG. 2B conceptually illustrates an example of a connection between an assurance appliance and devices in a tenant network. As illustrated in FIG. 2B, tenant network 212 includes various spine switches 222, which are coupled to leaf switches 244. For simplicity of illustration, host devices are not illustrated; however, one of skill in the art would understand that a greater (or fewer) number of spine switches 222, leaf switches 244, and/or host devices may be present in tenant network 212, without departing from the scope of the technology. Additionally tenant network 212 may include virtually any other virtual and/or physical devices without departing from the technology.


Appliance 210 includes multiple virtual machines (VMs), e.g., Resource 1 (VM1), and Resource 2 (VM2), each of which include a firewall, e.g., Firewall 1, and Firewall 2, respectively. It is understood that appliance 210 can include any number of physical/virtual devices, such as, containers and/or virtual machines, without departing from the technology.


In the example of FIG. 2B, appliance 210 is coupled to tenant network 212 via VM1 and VM2. Specifically, VM1 is coupled to Spine 1222, and VM 2 is coupled to Leaf 2244. Connections between VM1 and Spine 1222 are mediated by Firewall 1; connections between VM 2 and Leaf 2244 are mediated by Firewall 2.


In practice, packets transacted between VM 1 and Spine 1222 can be controlled by Firewall 1, and packets transacted between VM 2 and Leaf 2244, controlled by VM 2. In this manner, failures of Spine 1222 and Leaf 2244 can be simulated by blocking services and traffic at Firewall 1, and Firewall 2, respectively. As discussed above, blocking traffic at appliance 210 can be used to simulate failure events e.g., in Spine 1222 and Leaf 2244, without killing those devices. As such, appliance 210 can be used to simulate failure events in a tenant network (such as example tenant network 212) without disrupting devices or active services in the network fabric.



FIG. 3 illustrates steps of an example process 300 for simulating network error events at a tenant network. Process 300 begins with step 302 in which packets are received at a first virtual device in a network monitoring appliance that corresponds with a first network device in a tenant network. Similar to the example provided above with respect to FIG. 2B, the first virtual device of the network monitoring appliance can be a virtual machine, a network container, or the like. Similarly, the first network device in the tenant network may be a routing device, such as they spine switch, or a leaf switch, etc.


It is understood that the first virtual device and first network device may include any networking devices or appliances, without departing from the scope of the technology.


In step 304, a firewall is instantiated at the first virtual device. In some aspects, instantiation of the firewall may occur the same virtual environment of the first virtual device, i.e., within same VM or container. In other aspects, instantiation of the firewall may include instantiation of a new VM or container within the monitoring appliance, and that provides firewall filtering for traffic between the first virtual device and the corresponding first network device in the tenant network.


In step 306, a failure of the first network device is simulated by blocking traffic from the first network device to the first virtual device using the firewall. In some aspects, the firewall may be configured to block traffic associated with a specific function or service in order to simulate interruptions for that functionality in the corresponding first network device. In other aspects, while traffic from the first network device in the tenant network may be blocked, for example, to simulate the total failure with the first network device.


In step 308, and analysis of the tenant network is performed to determine a predicted impact that a failure of the first network device would have on the tenant network. As discussed above, a monitoring appliance (e.g., Appliance 200) can therefore be used to simulate network failure events for the purpose of “stress testing” certain failure scenarios. Such simulations can be performed without the need to suspend tenant services and/or device operation, which could disrupt concurrently connected clients and/or users.



FIG. 4 illustrates an example network device 400 suitable for implementing a network appliance of the subject technology. Network device 400 includes a central processing unit (CPU) 404, interfaces 402, and a bus 410 (e.g., a PCI bus). When acting under the control of appropriate software or firmware, the CPU 404 is responsible for executing packet management, error detection, and/or routing functions. CPU 404 accomplishes all these functions under the control of software including an operating system and any appropriate applications software. CPU 404 may include one or more processors 408, such as a processor from the INTEL X86 family of microprocessors. In some cases, processor 408 can be specially designed hardware for controlling the operations of network device 400. In some cases, a memory 406 (e.g., non-volatile RAM, ROM, etc.) also forms part of CPU 404. However, there are many different ways in which memory could be coupled to the system.


The interfaces 402 are typically provided as modular interface cards (sometimes referred to as “line cards”). They can control the sending and receiving of data packets over the network and sometimes support other peripherals used with the network device 400. Among the interfaces that may be provided are Ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, and the like. In addition, various very high-speed interfaces may be provided such as fast token ring interfaces, wireless interfaces, Ethernet interfaces, Gigabit Ethernet interfaces, ATM interfaces, HSSI interfaces, POS interfaces, FDDI interfaces, WIFI interfaces, 3G/4G/5G cellular interfaces, CAN BUS, LoRA, and the like. Generally, these interfaces may include ports appropriate for communication with the appropriate media. In some cases, they may also include an independent processor and, in some instances, volatile RAM. The independent processors may control such communications intensive tasks as packet switching, media control, signal processing, crypto processing, and management. By providing separate processors for the communications intensive tasks, these interfaces allow the master microprocessor 404 to efficiently perform routing computations, network diagnostics, security functions, etc.


Although the system shown in FIG. 4 is one specific network device of the present invention, it is by no means the only network device architecture on which the present invention can be implemented. For example, an architecture having a single processor that handles communications as well as routing computations, etc., is often used. Further, other types of interfaces and media could also be used with the network device 400.


Regardless of the network device's configuration, it may employ one or more memories or memory modules (including memory 406) configured to store program instructions for the general-purpose network operations and mechanisms for roaming, route optimization and routing functions described herein. The program instructions may control the operation of an operating system and/or one or more applications, for example. The memory or memories may also be configured to store tables such as mobility binding, registration, and association tables, etc. Memory 406 could also hold various software containers and virtualized execution environments and data.


In some implementations, the program instructions may be configured to cause CPU 404 and/or processor 408 to perform operations for simulating failure events in a tenant network. In particular, the program instructions can cause CUP 404 and/or processor 408 to perform operations for connecting each of a plurality of virtual devices in a monitoring appliance to a respective network device in a tenant network, receiving one or more packets, at a first virtual device in the monitoring appliance, from a corresponding first network device in the tenant network, instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the first network device to the first virtual device in the monitoring appliance, simulating failure of the first network device by blocking traffic from the first network device to the first virtual device using the firewall at the first virtual device, and based on the simulated failure of the first network device, analyzing the tenant network to determine a predicted impact a failure of the first network device would have on the tenant network.


In some implementations, the processors are further configured to perform operations including receiving one or more packets, at a second virtual device in the monitoring appliance, from a corresponding second network device in the tenant network, instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the second network device to the second virtual device in the monitoring appliance, simulating failure of the second network device by blocking traffic from the second network device to the second virtual device using the firewall at the second device, and based on the simulated failure of the second network device, analyzing the tenant network to determine a predicted impact a failure of the second network device would have on the tenant network.


In some aspects, the first virtual device in the monitoring appliance is a virtual machine (VM). In other aspects, the first virtual device in the monitoring appliance is a network container.


Network device 400 can also include an application-specific integrated circuit (ASIC), which can be configured to perform routing and/or switching operations. The ASIC can communicate with other components in the network device 400 via the bus 410, to exchange data and signals and coordinate various types of operations by the network device 400, such as routing, switching, and/or data storage operations, for example.



FIG. 5 illustrates a computing architecture 500 wherein the components of the system are in electrical communication with each other via connection 505, such as a bus. System 500 includes a processing unit (CPU or processor) 510 and a system connection 505 that couples various system components including system memory 515, such as read only memory (ROM) 520 and random access memory (RAM) 525, to processor 510. System 500 can include a cache of high-speed memory connected directly with, in close proximity to, or integrated as part of the processor 510. The system 500 can copy data from the memory 515 and/or the storage device 530 to the cache 512 for quick access by processor 510. In this way, the cache can provide a performance boost that avoids processor 510 delays while waiting for data. These and other modules can control or be configured to control the processor 510 to perform various actions. Other system memory 515 may be available for use as well. The memory 515 can include multiple different types of memory with different performance characteristics. The processor 510 can include any general purpose processor and a hardware or software service, such as service 1532, service 2534, and service 3536 stored in storage device 530, configured to control the processor 510 as well as a special-purpose processor where software instructions are incorporated into the actual processor design. The processor 510 may be a completely self-contained computing system, containing multiple cores or processors, a bus, memory controller, cache, etc. A multi-core processor may be symmetric or asymmetric.


To enable user interaction with the computing device 500, an input device 545 can represent any number of input mechanisms, such as a microphone for speech, a touch-sensitive screen for gesture or graphical input, keyboard, mouse, motion input, speech and so forth. An output device 535 can also be one or more of a number of output mechanisms known to those of skill in the art. In some instances, multimodal systems can enable a user to provide multiple types of input to communicate with the computing device 500. The communications interface 540 can generally govern and manage the user input and system output. There is no restriction on operating on any particular hardware arrangement and therefore the basic features here may easily be substituted for improved hardware or firmware arrangements as they are developed.


Storage device 530 is a non-volatile memory and can be a hard disk or other types of computer readable media which can store data that are accessible by a computer, such as magnetic cassettes, flash memory cards, solid state memory devices, digital versatile disks, cartridges, random access memories (RAMs) 525, read only memory (ROM) 520, and hybrids thereof.


The storage device 530 can include services 532, 534, 536 for controlling the processor 510. Other hardware or software modules are contemplated. Storage device 530 can be connected to the system connection 505. In one aspect, a hardware module that performs a particular function can include the software component stored in a computer-readable medium in connection with the necessary hardware components, such as the processor 510, connection 505, output device 535, and so forth, to carry out the function.


For clarity of explanation, in some instances the present technology may be presented as including individual functional blocks including functional blocks comprising devices, device components, steps or routines in a method embodied in software, or combinations of hardware and software.


In some embodiments the computer-readable storage devices, mediums, and memories can include a cable or wireless signal containing a bit stream and the like. However, when mentioned, non-transitory computer-readable storage media expressly exclude media such as energy, carrier signals, electromagnetic waves, and signals per se.


Methods according to the above-described examples can be implemented using computer-executable instructions that are stored or otherwise available from computer readable media. Such instructions can comprise, for example, instructions and data which cause or otherwise configure a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions.


Portions of computer resources used can be accessible over a network. The computer executable instructions may be, for example, binaries, intermediate format instructions such as assembly language, firmware, or source code. Examples of computer-readable media that may be used to store instructions, information used, and/or information created during methods according to described examples include magnetic or optical disks, flash memory, USB devices provided with non-volatile memory, networked storage devices, and so on.


Devices implementing methods according to these disclosures can comprise hardware, firmware and/or software, and can take any of a variety of form factors. Typical examples of such form factors include laptops, smart phones, small form factor personal computers, personal digital assistants, rackmount devices, standalone devices, and so on. Functionality described herein also can be embodied in peripherals or add-in cards. Such functionality can also be implemented on a circuit board among different chips or different processes executing in a single device, by way of further example.


The instructions, media for conveying such instructions, computing resources for executing them, and other structures for supporting such computing resources are means for providing the functions described in these disclosures.


Although a variety of examples and other information was used to explain aspects within the scope of the appended claims, no limitation of the claims should be implied based on particular features or arrangements in such examples, as one of ordinary skill would be able to use these examples to derive a wide variety of implementations. Further and although some subject matter may have been described in language specific to examples of structural features and/or method steps, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to these described features or acts. For example, such functionality can be distributed differently or performed in components other than those identified herein. Rather, the described features and steps are disclosed as examples of components of systems and methods within the scope of the appended claims.

Claims
  • 1. A computer-implemented method for simulating network failure events at a monitoring appliance, comprising: receiving one or more packets, at a first virtual device in a monitoring appliance, from a corresponding first network device in a tenant network, the first network device being upstream from the first virtual device;instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the first network device to the first virtual device in the monitoring appliance by blocking specific ports/services to simulate the interruption of device or service availability;simulating failure of the first network device by blocking traffic from the first network device to the first virtual device using the firewall at the first virtual device; andbased on the simulated failure of the first network device, analyzing the tenant network to determine a predicted impact a failure of the first network device would have on the tenant network.
  • 2. The computer-implemented method of claim 1, further comprising: receiving one or more packets, at a second virtual device in the monitoring appliance, from a corresponding second network device in the tenant network;instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the second network device to the second virtual device in the monitoring appliance;simulating failure of the second network device by blocking traffic from the second network device to the second virtual device using the firewall at the second device; andbased on the simulated failure of the second network device, analyzing the tenant network to determine a predicted impact a failure of the second network device would have on the tenant network.
  • 3. The computer-implemented method of claim 1, wherein the first virtual device in the monitoring appliance is a virtual machine (VM).
  • 4. The computer-implemented method of claim 1, wherein the first virtual device in the monitoring appliance is a network container.
  • 5. The computer-implemented method of claim 1, wherein the first network device in the tenant network is a spine switch.
  • 6. The computer-implemented method of claim 1, wherein the first network device in the tenant network is a leaf switch.
  • 7. The computer-implemented method of claim 1, wherein the monitoring appliance comprises a series of virtual machines (VMs) operating in a cluster mode.
  • 8. A system for analyzing a network fabric the system comprising: one or more processors;a network interface coupled to the processors; anda non-transitory computer-readable medium coupled to the processors, the computer-readable medium comprising instructions stored therein, which when executed by the processors, cause the processors to perform operations comprising: connecting each of a plurality of virtual devices in a monitoring appliance to a respective network device in a tenant network;receiving one or more packets, at a first virtual device in the monitoring appliance, from a corresponding first network device in the tenant network, the first network device being upstream from the first virtual device by blocking specific ports/services to simulate the interruption of device or service availability;instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the first network device to the first virtual device in the monitoring appliance;simulating failure of the first network device by blocking traffic from the first network device to the first virtual device using the firewall at the first virtual device; andbased on the simulated failure of the first network device, analyzing the tenant network to determine a predicted impact a failure of the first network device would have on the tenant network.
  • 9. The system of claim 8, wherein the processors are further configured to perform operations comprising: receiving one or more packets, at a second virtual device in the monitoring appliance, from a corresponding second network device in the tenant network;instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the second network device to the second virtual device in the monitoring appliance;simulating failure of the second network device by blocking traffic from the second network device to the second virtual device using the firewall at the second device; andbased on the simulated failure of the second network device, analyzing the tenant network to determine a predicted impact a failure of the second network device would have on the tenant network.
  • 10. The system of claim 8, wherein the first virtual device in the monitoring appliance is a virtual machine (VM).
  • 11. The system of claim 8, wherein the first virtual device in the monitoring appliance is a network container.
  • 12. The system of claim 8, wherein the first network device in the tenant network is a spine switch.
  • 13. The system of claim 8, wherein the first network device in the tenant network is a leaf switch.
  • 14. The system of claim 8, wherein the monitoring appliance comprises a series of virtual machines (VMs) operating in a cluster mode.
  • 15. A non-transitory computer-readable storage medium comprising instructions stored therein, which when executed by one or more processors, cause the processors to perform operations comprising: connecting each of a plurality of virtual devices in a monitoring appliance to a respective network device in a tenant network;receiving one or more packets, at a first virtual device in the monitoring appliance, from a corresponding first network device in the tenant network, the first network device being upstream from the first virtual device by blocking specific ports/services to simulate the interruption of device or service availability;instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the first network device to the first virtual device in the monitoring appliance;simulating failure of the first network device by blocking traffic from the first network device to the first virtual device using the firewall at the first virtual device; andbased on the simulated failure of the first network device, analyzing the tenant network to determine a predicted impact a failure of the first network device would have on the tenant network.
  • 16. The non-transitory computer-readable storage medium of claim 15, wherein the processors are further configured to perform operations comprising: receiving one or more packets, at a second virtual device in the monitoring appliance, from a corresponding second network device in the tenant network;instantiating a firewall at the first virtual device, wherein the firewall is configured to selectively block traffic routed from the second network device to the second virtual device in the monitoring appliance;simulating failure of the second network device by blocking traffic from the second network device to the second virtual device using the firewall at the second device; andbased on the simulated failure of the second network device, analyzing the tenant network to determine a predicted impact a failure of the second network device would have on the tenant network.
  • 17. The non-transitory computer-readable storage medium of claim 15, wherein the first virtual device in the monitoring appliance is a virtual machine (VM).
  • 18. The non-transitory computer-readable storage medium of claim 15, wherein the first virtual device in the monitoring appliance is a network container.
  • 19. The non-transitory computer-readable storage medium of claim 15, wherein the first network device in the tenant network is a spine switch.
  • 20. The non-transitory computer-readable storage medium of claim 15, wherein the first network device in the tenant network is a leaf switch.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Application No. 62/521,023, filed Jun. 16, 2017, entitled “CONTROLLED MICRO-FAULT INJECTION AND REMOVAL ON A DISTRIBUTED APPLIANCE”, which is incorporated by reference in its entirety.

US Referenced Citations (176)
Number Name Date Kind
5204829 Lyu et al. Apr 1993 A
6763380 Mayton et al. Jul 2004 B1
7003562 Mayer Feb 2006 B2
7089369 Emberling Aug 2006 B2
7127686 Dreschler et al. Oct 2006 B2
7360064 Steiss et al. Apr 2008 B1
7453886 Allan Nov 2008 B1
7505463 Schuba et al. Mar 2009 B2
7548967 Amyot et al. Jun 2009 B2
7552201 Areddu et al. Jun 2009 B2
7609647 Turk et al. Oct 2009 B2
7619989 Guingo et al. Nov 2009 B2
7698561 Nagendra et al. Apr 2010 B2
7743274 Langford et al. Jun 2010 B2
7765093 Li et al. Jul 2010 B2
8010952 Datla et al. Aug 2011 B2
8073935 Viswanath Dec 2011 B2
8103480 Korn et al. Jan 2012 B2
8190719 Furukawa May 2012 B2
8209738 Nicol et al. Jun 2012 B2
8261339 Aldridge et al. Sep 2012 B2
8312261 Rao et al. Nov 2012 B2
8375117 Venable, Sr. Feb 2013 B2
8441941 McDade et al. May 2013 B2
8479267 Donley et al. Jul 2013 B2
8484693 Cox et al. Jul 2013 B2
8494977 Yehuda et al. Jul 2013 B1
8554883 Sankaran Oct 2013 B2
8589934 Makljenovic et al. Nov 2013 B2
8621284 Kato Dec 2013 B2
8627328 Mousseau et al. Jan 2014 B2
8693344 Adams et al. Apr 2014 B1
8693374 Murphy et al. Apr 2014 B1
8761036 Fulton et al. Jun 2014 B2
8782182 Chaturvedi et al. Jul 2014 B2
8824482 Kajekar et al. Sep 2014 B2
8910143 Cohen et al. Dec 2014 B2
8914843 Bryan et al. Dec 2014 B2
8924798 Jerde et al. Dec 2014 B2
9019840 Salam et al. Apr 2015 B2
9038151 Chua et al. May 2015 B1
9055000 Ghosh et al. Jun 2015 B1
9106555 Agarwal et al. Aug 2015 B2
9137096 Yehuda et al. Sep 2015 B1
9225601 Khurshid et al. Dec 2015 B2
9246818 Deshpande et al. Jan 2016 B2
9264922 Gillot et al. Feb 2016 B2
9276877 Chua et al. Mar 2016 B1
9319300 Huynh Van et al. Apr 2016 B2
9344348 Ivanov et al. May 2016 B2
9369434 Kim et al. Jun 2016 B2
9389993 Okmyanskiy et al. Jul 2016 B1
9405553 Branson et al. Aug 2016 B2
9444842 Porras et al. Sep 2016 B2
9497207 Dhawan et al. Nov 2016 B2
9497215 Vasseur et al. Nov 2016 B2
9544224 Chu et al. Jan 2017 B2
9548965 Wang et al. Jan 2017 B2
9553845 Talmor et al. Jan 2017 B1
9571502 Basso et al. Feb 2017 B2
9571523 Porras et al. Feb 2017 B2
9594640 Chheda Mar 2017 B1
9596141 McDowall Mar 2017 B2
9641249 Kaneriya et al. May 2017 B2
9654300 Pani May 2017 B2
9654361 Vasseur et al. May 2017 B2
9654409 Yadav et al. May 2017 B2
9660886 Ye et al. May 2017 B1
9660897 Gredler May 2017 B1
9667645 Belani et al. May 2017 B1
9680875 Knjazihhin et al. Jun 2017 B2
9686180 Chu et al. Jun 2017 B2
9686296 Murchison et al. Jun 2017 B1
9690644 Anderson et al. Jun 2017 B2
9781004 Danait et al. Oct 2017 B2
9787559 Schroeder Oct 2017 B1
9998247 Choudhury et al. Jun 2018 B1
10084795 Akireddy et al. Sep 2018 B2
10084833 McDonnell et al. Sep 2018 B2
10084895 Kasat et al. Sep 2018 B2
20020143855 Traversat et al. Oct 2002 A1
20020178246 Mayer Nov 2002 A1
20030229693 Mahlik et al. Dec 2003 A1
20040073647 Gentile et al. Apr 2004 A1
20040088586 Wesinger, Jr. May 2004 A1
20040168100 Thottan et al. Aug 2004 A1
20050108389 Kempin et al. May 2005 A1
20070011629 Shacham et al. Jan 2007 A1
20070124437 Chervets May 2007 A1
20070214244 Hitokoto et al. Sep 2007 A1
20080031147 Fieremans et al. Feb 2008 A1
20080117827 Matsumoto et al. May 2008 A1
20080133731 Bradley et al. Jun 2008 A1
20080172716 Talpade et al. Jul 2008 A1
20090240758 Pasko et al. Sep 2009 A1
20090249284 Antosz et al. Oct 2009 A1
20100191612 Raleigh Jul 2010 A1
20100198909 Kosbab et al. Aug 2010 A1
20110093612 Murakami Apr 2011 A1
20110295983 Medved et al. Dec 2011 A1
20110307886 Thanga Dec 2011 A1
20120054163 Liu et al. Mar 2012 A1
20120198073 Srikanth et al. Aug 2012 A1
20120297061 Pedigo et al. Nov 2012 A1
20130097660 Das et al. Apr 2013 A1
20130191516 Sears Jul 2013 A1
20140019597 Nath et al. Jan 2014 A1
20140177638 Bragg et al. Jun 2014 A1
20140222996 Vasseur et al. Aug 2014 A1
20140304831 Hidlreth et al. Oct 2014 A1
20140307556 Zhang Oct 2014 A1
20140321277 Lynn, Jr. et al. Oct 2014 A1
20140337500 Lee Nov 2014 A1
20140379915 Yang et al. Dec 2014 A1
20150019756 Masuda Jan 2015 A1
20150113143 Stuart et al. Apr 2015 A1
20150124826 Edsall et al. May 2015 A1
20150135012 Bhalla May 2015 A1
20150172104 Brandwine Jun 2015 A1
20150186206 Bhattacharya et al. Jul 2015 A1
20150188808 Ghanwani Jul 2015 A1
20150234695 Cuthbert et al. Aug 2015 A1
20150244617 Nakil et al. Aug 2015 A1
20150271104 Chikkamath et al. Sep 2015 A1
20150295771 Cuni et al. Oct 2015 A1
20150365314 Hiscock et al. Dec 2015 A1
20150381484 Hira et al. Dec 2015 A1
20160020993 Wu et al. Jan 2016 A1
20160021141 Liu et al. Jan 2016 A1
20160026631 Salam et al. Jan 2016 A1
20160036636 Erickson et al. Feb 2016 A1
20160048420 Gourlay et al. Feb 2016 A1
20160078220 Scharf et al. Mar 2016 A1
20160080350 Chaturvedi et al. Mar 2016 A1
20160080502 Yadav Mar 2016 A1
20160099883 Volt et al. Apr 2016 A1
20160105317 Zimmermann et al. Apr 2016 A1
20160112246 Singh et al. Apr 2016 A1
20160112269 Singh et al. Apr 2016 A1
20160149751 Pani et al. May 2016 A1
20160164748 Kim Jun 2016 A1
20160224277 Batra et al. Aug 2016 A1
20160241436 Fourie et al. Aug 2016 A1
20160254964 Benc Sep 2016 A1
20160255051 Williams Sep 2016 A1
20160267384 Salam et al. Sep 2016 A1
20160323319 Gourlay et al. Nov 2016 A1
20160330076 Tiwari et al. Nov 2016 A1
20160352566 Mekkattuparamban et al. Dec 2016 A1
20160359697 Scheib Dec 2016 A1
20160359912 Gupta Dec 2016 A1
20160380892 Mahadevan et al. Dec 2016 A1
20170026292 Smith et al. Jan 2017 A1
20170031800 Shani et al. Feb 2017 A1
20170031970 Burk Feb 2017 A1
20170048110 Wu et al. Feb 2017 A1
20170048126 Handige Shankar et al. Feb 2017 A1
20170054758 Maino et al. Feb 2017 A1
20170063599 Wu et al. Mar 2017 A1
20170093630 Foulkes Mar 2017 A1
20170093664 Lynam et al. Mar 2017 A1
20170093750 McBride et al. Mar 2017 A1
20170093918 Banerjee et al. Mar 2017 A1
20170111259 Wen et al. Apr 2017 A1
20170118167 Subramanya et al. Apr 2017 A1
20170126740 Bejarano Ardila et al. May 2017 A1
20170126792 Halpern et al. May 2017 A1
20170134233 Dong et al. May 2017 A1
20170163442 Shen et al. Jun 2017 A1
20170187577 Nevrekar et al. Jun 2017 A1
20170195187 Bennett et al. Jul 2017 A1
20170206129 Yankilevich et al. Jul 2017 A1
20170222873 Lee et al. Aug 2017 A1
20170353355 Danait et al. Dec 2017 A1
20180069754 Dasu et al. Mar 2018 A1
20180167294 Gupta et al. Jun 2018 A1
Foreign Referenced Citations (19)
Number Date Country
105471830 Apr 2016 CN
105721193 Jun 2016 CN
105721297 Jun 2016 CN
106130766 Nov 2016 CN
106603264 Apr 2017 CN
103701926 Jun 2017 CN
WO 2015014177 Feb 2015 WO
WO 2015187337 Dec 2015 WO
WO 2016011888 Jan 2016 WO
WO 2016039730 Mar 2016 WO
WO 2016072996 May 2016 WO
WO 2016085516 Jun 2016 WO
WO 2016093861 Jun 2016 WO
WO 2016119436 Aug 2016 WO
WO 2016130108 Aug 2016 WO
WO 2016161127 Oct 2016 WO
WO 2017031922 Mar 2017 WO
WO 2017039606 Mar 2017 WO
WO 2017105452 Jun 2017 WO
Non-Patent Literature Citations (36)
Entry
Liu et al., “A Real-Time Network Simulation Infrastracture Based on Open VPN,” Journal of Systems and Software, Aug. 4, 2008, pp. 1-45.
Author Unknown, “Aids to Pro-active Management of Distributed Resources through Dynamic Fault-Localization and Availability Prognosis,” FaultLocalization—TR01—CADlab, May 2006, pp. 1-9.
Author Unknown, “Requirements for applying formal methods to software-defined networking,” Telecommunication Standardization Sector of ITU, Series Y: Global Information Infrastructure, Internet Protocol Aspects and Next-Generation Networks, Apr. 8, 2015, pp. 1-20.
Cisco, “Verify Contracts and Rules in the ACI Fabric,” Cisco, Updated Aug. 19, 16, Document ID: 119023, pp. 1-20.
De Silva et al., “Network-wide Security Analysis,” Semantic Scholar, Oct. 25, 2011, pp. 1-11.
Fayaz, Seyed K., et al., “Efficient Network Reachability Analysis using a Succinct Control Plane Representation,” 2016, ratul.org, pp. 1-16.
Feldmann, Anja, et al., “IP Network Configuration for Intradomain Traffic Engineering,” Semantic Scholar, accessed on Jul. 20, 2017, pp. 1-27.
Han, Yoonseon, et al., “An Intent-based Network Virtualization Platform for SDN,” 2016 I FIP, pp. 1-6.
Han, Wonkyu, et al., “LPM: Layered Policy Management for Software-Defined Networks,” Mar. 8, 2016, pp. 1-8.
Kazemian, Peyman, et al., “Real Time Network Policy Checking using Header Space Analysis,” USENIX Association, 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI '13) pp. 99-111.
Khatkar, Pankaj Kumar, “Firewall Rule Set Analysis and Visualization, A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science,” Arizona State University, Dec. 2014, pp. 1-58.
Le, Franck, et al., “Minerals: Using Data Mining to Detect Router Misconfigurations,” CyLab, Carnegie Mellon University, CMU—CyLab—06-008, May 23, 2006, pp. 1-14.
Liang, Chieh-Jan Mike, et al., “SIFT: Building an Internet of Safe Things,” Microsoft, IPSN' 15, Apr. 14-16, 2015, Seattle, WA, ACM 978, pp. 1-12.
Lopes, Nuno P., et al., “Automatically verifying reachability and well-formedness in P4 Networks,” Microsoft, accessed on Jul. 18, 2017, pp. 1-13.
Mai, Haohui, et al., “Debugging the Data Plane with Anteater,” SIGCOMM11, Aug. 15-19, 2011, pp. 1-12.
Miller, Nancy, et al., “Collecting Network Status Information for Network-Aware Applications,” INFOCOM 2000, pp. 1-10.
Miranda, Joao Sales Henriques, “Fault Isolation in Software Defined Networks,” www.qsd.inescid.pt, pp. 1-10.
Moon, Daekyeong, et al., “Bridging the Software/Hardware Forwarding Divide,” Berkeley.edu, Dec. 18, 2010, pp. 1-15.
Shin, Seugwon, et al., “FRESCO: Modular Composable Security Services for Software-Defined Networks,” To appear in the ISOC Network and Distributed System Security Symposium, Feb. 2013, pp. 1-16.
Shukla, Apoorv, et al., “Towards meticulous data plane monitoring,” kaust.edu.sa, access on Aug. 1, 2017, pp. 1-2.
Tang, Yongning, et al., “Automatic belief network modeling via policy inference for SDN fault localization,” Journal of Internet Services and Applications, 2016, pp. 1-13.
Tomar, Kuldeep, et al., “Enhancing Network Security and Performance Using Optimized ACLs,” International Journal in Foundations of Computer Science & Technology (IJFCST), vol. 4, No. 6, Nov. 2014, pp. 25-35.
Tongaonkar, Alok, et al., “Inferring Higher Level Policies from Firewall Rules,” Proceedings of the 21st Large Installation System Administration Conference (LISA '07), Nov. 11-16, 2007, pp. 1-14.
Zhou, Shijie, et al., “High-Performance Packet Classification on GPU,” 2014 IEEE, pp. 1-6.
Cisco Systems, Inc., “The Cisco Application Policy Infrastructure Controller Introduction: What is the Cisco Application Policy Infrastructure Controller?” Jul. 31, 2014, 19 pages.
Jain, Praveen, et al., “In-Line Distributed and Stateful Security Policies for Applications in a Network Environment,” Cisco Systems, Inc., Aug. 16, 2016, 13 pages.
Maldonado-Lopez, Ferney, et al., “Detection and prevention of firewall—rule conflicts on software-defined networking,” 2015 7th International Workshop on Reliable Networks Design and Modeling (RNDM), IEEE, Oct. 5, 2015, pp. 259-265.
Vega, Andres, et al., “Troubleshooting Cisco Application Centric Infrastructure: Analytical problem solving applied to the Policy Driven Data Center,” Feb. 15, 2016, 84 pages.
Xia, Wenfeng, et al., “A Survey on Software-Defined Networking,” IEEE Communications Surveys and Tutorials, Mar. 16, 2015, pp. 27-51.
Akella, Aditya, et al., “A Highly Available Software Defined Fabric,” HotNets—XIII, Oct. 27-28, 2014, Los Angeles, CA, USA, Copyright 2014, ACM, pp. 1-7.
Alsheikh, Mohammad Abu, et al., “Machine Learning in Wireless Sensor Networks: Algorithms, Strategies, and Application,” Mar. 19, 2015, pp. 1-23.
Cisco Systems, Inc., “Cisco Application Centric Infrastructure 9ACI Endpoint Groups (EPG) Usange and Design,” White Paper, May 2014, pp. 1-14.
Dhawan, Mohan, et al., “SPHINX: Detecting Security Attacks in Software-Defined Networks,” NDSS 2015, Feb. 8-11, 2015, San Diego, CA, USA, Copyright 2015 Internet Society, pp. 1-15.
Lindem, A., et al., “Network Device YANG Organizational Model draft-rtgyangdt-rtgwg-device-model-01,” Network Working Group, Internet-draft, Sep. 21, 2015, pp. 1-33.
Panda, Aurojit, et al., “SCL: Simplifying Distributed SDN Control Planes,” people.eecs.berkeley.edu, Mar. 2017, pp. 1-17.
Yu et al., “A Flexible Framework for Wireless-Based Intelligent Sensor with Reconfigurability, Dynamic adding, and Web interface,” Conference Paper, Jul. 24, 2006, IEEE 2006, pp. 1-7.
Related Publications (1)
Number Date Country
20180367435 A1 Dec 2018 US
Provisional Applications (1)
Number Date Country
62521023 Jun 2017 US