Abstract: A multi-tenant, cloud-hosted Network Access Control (NAC) system may receive an indicator from a Network Access Server (NAS) device to identify the tenant with which the NAS device is associated. The NAS device may put the identifier in the Transport Layer Security (TLS)/Secure Sockets Layer (SSL) extension Server Name Indication (SNI) field. The NAC system may use the identifier to obtain tenant-specific configuration information for setting up a secure tunnel with the NAS device.

Abstract: Techniques are described for configuration and application of intent-based network access control (NAC) policies for authentication and authorization of multi-tenant, network access server (NAS) devices to access enterprise networks of organizations. A network management system configures intent-based NAC policies for an organization. A cloud-based NAC system may apply an appropriate intent-based NAC policy in response to an authentication request from a NAS device. The NAC system identifies a vendor of the NAS device, matches incoming attributes in the authentication request to a set of normalized match rules of the intent-based NAC policy, and translates a set of abstracted policy results corresponding to the set of normalized match rules into a vendor-specific set of return attributes based on the vendor of the NAS device. The NAC system sends the vendor-specific set of return attributes to the NAS device to enable the NAS device to access the enterprise network of the organization.

Abstract: Techniques are described for providing network provisioning by a network management system (NMS) based on fingerprint information determined by a network access control (NAC) system. An example method includes receiving, by the NAC system, a network access request for a client device to access an enterprise network; obtaining, by the NAC system, fingerprint information of the client device associated with the network access request, wherein the fingerprinting information comprises information specifying one or more attributes associated with the client device; authenticating, by the NAC system, the client device to access the enterprise network; sending, by the NAC system and to the NMS, the fingerprint information of the client device; and provisioning, by the NMS, one or more network resources associated with the client device based on the fingerprint information of the client device.

Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a network path having multiple hops associated with respective nodes which are configured in a forwarding mode. The system can traverse the network path to identify, for each node from the respective nodes, a respective next hop. Based on the respective next hop for each node, the system can determine whether two or more nodes from the respective nodes have a same respective next hop. When the two or more nodes have the same respective next hop, the system can determine that the network path has a network loop.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Methods for assisting data forwarding during convergence in a multi-homed network are disclosed. In one aspect, a first leaf node is configured to detect when a second leaf node advertises a set of Ethernet segments which are local to the first leaf and advertise reachability information for the second leaf, indicating itself as a backup for the second leaf during convergence. A spine node that receives advertisement messages from such first and second leaf nodes programs its routing table to indicate the direct route to the second leaf as the primary path and the route to the second leaf via the first leaf as a backup path to forward encapsulated packets destined to the second leaf. Upon failure of the second leaf, when the spine node receives data packets destined to the second leaf, the spine node sends the packets to the first leaf instead of the second leaf.

Abstract: Systems, methods, and computer-readable media for preventing man-in-the-middle attacks within network, without the need to maintain trusted/un-trusted port listings on each network device. The solutions disclosed herein leverage a host database which can be present on controllers, thereby providing a centralized database instead of a per-node DHCP binding database. Systems configured according to this disclosure (1) use a flood list only for ARP packets received from the controller 116; and (2) unicast ARP packets to the controller before communicating the packets to other VTEPs.

Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Methods for assisting data forwarding during convergence in a multi-homed network are disclosed. In one aspect, a first leaf node is configured to detect when a second leaf node advertises a set of Ethernet segments which are local to the first leaf and advertise reachability information for the second leaf, indicating itself as a backup for the second leaf during convergence. A spine node that receives advertisement messages from such first and second leaf nodes programs its routing table to indicate the direct route to the second leaf as the primary path and the route to the second leaf via the first leaf as a backup path to forward encapsulated packets destined to the second leaf. Upon failure of the second leaf, when the spine node receives data packets destined to the second leaf, the spine node sends the packets to the first leaf instead of the second leaf.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a network path having multiple hops associated with respective nodes which are configured in a forwarding mode. The system can traverse the network path to identify, for each node from the respective nodes, a respective next hop. Based on the respective next hop for each node, the system can determine whether two or more nodes from the respective nodes have a same respective next hop. When the two or more nodes have the same respective next hop, the system can determine that the network path has a network loop.

Abstract: Systems, methods, and computer-readable media for preventing man-in-the-middle attacks within network, without the need to maintain trusted/un-trusted port listings on each network device. The solutions disclosed herein leverage a host database which can be present on controllers, thereby providing a centralized database instead of a per-node DHCP binding database. Systems configured according to this disclosure (1) use a flood list only for ARP packets received from the controller 116; and (2) unicast ARP packets to the controller before communicating the packets to other VTEPs.