Policy Verification in a Network

摘要

A determination is made at a network connected device that a network policy is to be verified. The network policy is applied to network packets sent to an endpoint within a network, and the application of the policy to network traffic can result in at least two outcomes. Another determination is made at the network connected device that a switch is provisionable to host the endpoint. The network connected device provisions a simulated endpoint version of the endpoint at the switch to host the policy. At least one packet is sent to the simulated endpoint via the network connected device for each of the at least two outcomes of the policy. At least one response is received by the network connected device from the simulated endpoint indicating how the policy was applied to each of the packets.

主权项

1. A method comprising:
determining, at a network connected device, a network policy to be verified, wherein the network policy is applied to network packets sent to an endpoint within a network, wherein application of the policy to network traffic can result in at least two outcomes; determining, at the network connected device, a switch that is provisionable to host the endpoint; provisioning, via the network connected device, a simulated endpoint version of the endpoint at the switch; sending, over the network via the network connected device, at least one packet for each of the at least two outcomes of the policy to the simulated endpoint; and receiving, via the network at the network connected device, at least one response from the simulated endpoint indicating how the policy was applied to each of the packets.