Abstract: Systems and methods for selectively generating a telemetry report to calculate a flow or bit rate are disclosed. The methods include calculating a hash value of a packet, using it as a key to query a bloom filter, and obtaining a packet count. If the packet count reaches a trigger value, a telemetry report is generated and sent, along with the ingress timestamp, hash value, and the packet count, to the collector for calculating the flow rate (or bit rate). The collector compares the packet count and ingress timestamp of the packet of the first telemetry report with a second telemetry report, both reports being generated at various trigger values, and calculates the flow rate. If a hash collision is detected, the calculations are voided and an update to the hash function is suggested.

Abstract: A central controller in a data network can maintain a set of access control list (ACL) rules that represent traffic and data policies of the data network. The controller can autonomously propagate the set of ACL rules to switches in the data network. Each switch that receives the set of ACL rules can selectively install rules from the set based on criteria such as whether or not a given rule in the set is close to the source and device class.

Abstract: A central controller in a data network can maintain a set of access control list (ACL) rules that represent traffic and data policies of the data network. The controller can autonomously propagate the set of ACL rules to switches in the data network. Each switch that receives the set of ACL rules can selectively install rules from the set based on criteria such as whether or not a given rule in the set is close to the source and device class.

Abstract: Systems and methods are provided herein for transitioning a supplicant from one virtual local area network (VLAN) to another using a change of authorization (COA) message. This may be accomplished by an authentication server notifying a network device that a host should be granted access to the network, wherein the authentication server authenticates the host using MAC based authentication. Based on this notification and the MAC address of the host, the network device assigns the host to a first VLAN. If the authentication server determines that the host needs to change from the first VLAN to a second VLAN the authentication server generates a COA message, associated with the host, wherein the COA message comprises a VLAN identifier related to the second VLAN. The authentication server transmits the COA message to the network device causing the network device to route traffic to and from the host using the second VLAN.

Abstract: Systems and methods for selectively generating a telemetry report to calculate a flow or bit rate are disclosed. The methods include calculating a hash value of a packet, using it as a key to query a bloom filter, and obtaining a packet count. If the packet count reaches a trigger value, a telemetry report is generated and sent, along with the ingress timestamp, hash value, and the packet count, to the collector for calculating the flow rate (or bit rate). The collector compares the packet count and ingress timestamp of the packet of the first telemetry report with a second telemetry report, both reports being generated at various trigger values, and calculates the flow rate. If a hash collision is detected, the calculations are voided and an update to the hash function is suggested.

Abstract: Systems and methods are provided herein for transitioning a supplicant from one virtual local area network (VLAN) to another using a change of authorization (COA) message. This may be accomplished by an authentication server notifying a network device that a host should be granted access to the network, wherein the authentication server authenticates the host using MAC based authentication. Based on this notification and the MAC address of the host, the network device assigns the host to a first VLAN. If the authentication server determines that the host needs to change from the first VLAN to a second VLAN the authentication server generates a COA message, associated with the host, wherein the COA message comprises a VLAN identifier related to the second VLAN. The authentication server transmits the COA message to the network device causing the network device to route traffic to and from the host using the second VLAN.

Abstract: Systems and methods for INT telemetry are disclosed. The system selects a subset of flows from a plurality of flows to monitor. Parameters of the selected flows are sent by the management controller to an INT source for creating a watchlist. The INT source analyses an incoming packet against the parameters in the watchlist to determine if the packet belongs to a flow selected for monitoring. If the packet matches any one of the parameters, then the INT source embeds the packet with an IP address of a designated tenant collector and the INT instructions. A designated collector is allocated for each flow, set of flows, or tenant. Regardless of the path taken by the packet, the embedded INT packet contains all the information needed for a downstream network element to send telemetry data without the need for configuring the network element for telemetry.

Abstract: The disclosure describes processing packets in connection with a traceroute session in an overlay network that includes detecting traceroute probes using static and dynamic rules and using the time to live (TTL) value in a received traceroute probe to compute an outer TTL value. The TTL value (inner TTL) of the received probe is updated based on the number of underlay routers (hops) comprising the underlay network that are detected during the traceroute session. The received probe with its updated TTL value is encapsulated in an outer frame that includes the computed outer TTL value. The number of hops is updated each time an underlay router sends an ICMP time exceeded message.

Abstract: Systems and methods for managing a data packet's maximum transmission unit (MTU) limit in an in-band telemetry (INT) network are disclosed. The methods include a downstream network element receiving a packet with INT instructions and in response to determining that adding its own metadata would exceed the allowed MTU limit at its egress interface, generating and forwarding a telemetry report containing existing and new metadata to the designated collector, and forwarding the received packet without any metadata to the next hop. The methods forward the telemetry report to the collector when the packet's MTU limit is exceeded and thereby avoids uncontrolled growth of the packet size.

Abstract: A facility to determine if performance issues between two host computers in a data network includes a central controller identifying endpoints of a flow path between the two hosts. The central controller communicates with endpoint network devices to initiate telemetry tagging traffic on the flow path. A collector receives telemetry communicated in a packet from network devices on the flow path. A network operator can view the collected telemetry to assess whether the performance issue is in the network or not.

Abstract: Systems and methods for INT telemetry are disclosed. The system selects a subset of flows from a plurality of flows to monitor. Parameters of the selected flows are sent by the management controller to an INT source for creating a watchlist. The INT source analyses an incoming packet against the parameters in the watchlist to determine if the packet belongs to a flow selected for monitoring. If the packet matches any one of the parameters, then the INT source embeds the packet with an IP address of a designated tenant collector and the INT instructions. A designated collector is allocated for each flow, set of flows, or tenant. Regardless of the path taken by the packet, the embedded INT packet contains all the information needed for a downstream network element to send telemetry data without the need for configuring the network element for telemetry.

Abstract: A central controller in a data network can maintain a set of access control list (ACL) rules that represent traffic and data policies of the data network. The controller can autonomously propagate the set of ACL rules to switches in the data network. Each switch that receives the set of ACL rules can selectively install rules from the set based on criteria such as whether or not a given rule in the set is close to the source and device class.

Abstract: The disclosure describes processing packets in connection with a traceroute session in an overlay network that includes detecting traceroute probes using static and dynamic rules and using the time to live (TTL) value in a received traceroute probe to compute an outer TTL value. The TTL value (inner TTL) of the received probe is updated based on the number of underlay routers (hops) comprising the underlay network that are detected during the traceroute session. The received probe with its updated TTL value is encapsulated in an outer frame that includes the computed outer TTL value. The number of hops is updated each time an underlay router sends an ICMP time exceeded message.

Abstract: A packet loop runs between two participating endpoint network devices, and in particular runs in the respective data planes of the endpoint devices. A probe packet is provided to the data plane of an initiating device and is forwarded to the other device to initiate the packet loop. The source and destination addresses in the probe packet are set equal to a common address. Based on the common address, entries in the respective forwarding tables of the endpoint devices are established to point to each other so that the probe packet is forwarded back and forth between the two devices thus sustaining the packet loop. A broken loop indicates a forwarding path failure at which time corrective action to be taken.

Abstract: A packet loop runs between two participating endpoint network devices, and in particular runs in the respective data planes of the endpoint devices. A probe packet is provided to the data plane of an initiating device and is forwarded to the other device to initiate the packet loop. The source and destination addresses in the probe packet are set equal to a common address. Based on the common address, entries in the respective forwarding tables of the endpoint devices are established to point to each other so that the probe packet is forwarded back and forth between the two devices thus sustaining the packet loop. A broken loop indicates a forwarding path failure at which time corrective action to be taken.