Abstract: Methods, systems, and computer programs are presented for creating a secure network fabric and for adding trusted devices to an existing secure network fabric. One method includes an operation for setting a switch into a provisioning mode where the switch does not enforce secure communications. While the switch is in provisioning mode, the method performs operations including establishing a connection from the switch to a provisioning controller, sending a certificate signing request (CSR) from the switch to the provisioning controller, and receiving, from the provisioning controller, a security certificate generated by a certificate authority. The method further includes an operation for entering a lockdown mode by the switch after receiving the security certificate, where the switch, while in lockdown mode, secures communications utilizing the security certificate.

Abstract: A packet forwarding network may include switches that forward network packets between end hosts. A monitoring network may be coupled to the forwarding network. A controller may control switches in the monitoring network to forward network packets tapped from the forwarding network to one or more packet recorders. The packet recorders may store the tapped packets and the controller may query the stored packets at a later time. The controller may analyze queried packets to monitor the operation of the packet forwarding network and, if desired, to display graphical visualizations associated with the packet forwarding network. If desired, the controller may instruct the packet recorders to replay the tapped packets to network visibility tools through the monitoring network. The controller may coordinate storage and query operations across multiple packet recorders using the monitoring network so that the packet storage capacity and recording rate may be scaled up over time.

Abstract: Methods, systems, and computer programs are presented for distributing network address translation (NAT) operations to a plurality of network devices on a network. One method includes an operation for identifying, by a controller that controls a network fabric, a plurality of switches in the network fabric, each switch having a module for NAT and being configured to forward packets received at the switch. The controller identifies hosts having at least one internal Internet Protocol (IP) address, and for each of the hosts, the controller selects one of the switches from the plurality of switches for performing the NAT for the host. Further, the controller configures the network fabric to cause the selected switch to perform the NAT for the host to enable the host to communicate with an external network. In case of switch failure, the system reallocates NAT loads to other switches for high availability.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: A network of switches having ports coupled to other switches or end hosts may be controlled by a controller. The controller may identify whether any switch ports have failed. In response to identifying that a port has failed at a first switch, the controller may modify link aggregation group mappings of the other switches to handle failover. The controller may modify the link aggregation group mapping of each other switch to include a first mapping that includes ports coupled to the first switch and a second mapping that does not include any ports coupled to the first switch. The controller may configure forwarding tables at the switches to forward network packets using the first or second mappings based on network topology information maintained by the controller.

Abstract: In various example embodiments, a system and method for optimizing management of a multicast tree are disclosed. The system receives first multicast group member information, from over a network and via a first packet forwarding system, at a controller server that provides for control of a network comprised of a first virtual local area network including a first packet forwarding system, the first multicast group member information being received by the first packet forwarding system and describing a first end-host computer as joining a first multicast group on the first virtual local area network. The system generates a multicast tree, at the controller server, and communicates a network configuration message to at least one packet forwarding system of a first plurality of packet forwarding systems to enable communication of the multicast traffic for the first multicast group over a portion of the multicast tree.

Abstract: A controller implemented on computing equipment may be used to control switches in a network. End hosts may be coupled to the switches. The controller may generate a virtual network topology of virtual switches, virtual routers, and virtual system routers that are distributed over underlying switches in the network. The controller may form virtual switches from respective groups of end hosts, virtual routers from groups of virtual switches that include virtual interfaces that are coupled to virtual switches, and a virtual system router from groups of virtual routers that includes virtual system router interfaces that are coupled to the virtual routers. The controller may control the virtual network topology by generating respective flow table entries based on identified network policies for each of the virtual routers, virtual system routers, and virtual switches. The controller may control the virtual system routers to route packets between the virtual routers.

Abstract: A controller may fulfill hardware address requests that are sent by source end hosts in a network to discover hardware addresses of destination end hosts. The controller may use network topology information to determine how to process the hardware address requests. The controller may retrieve a requested hardware address from a database of end hosts. If the controller is able to retrieve the hardware address of a destination end host from the database of end hosts, the controller may provide the source end host with a reply packet that contains the requested hardware address. If the controller is unable to retrieve the requested hardware address, the controller may form request packets to discover the address of the second end host and/or to discover a packet forwarding path between the source end host and the destination end host.

Abstract: Systems and methods for building a hyper-scale monitoring fabric are described. The system receives a duplicate of a first portion of traffic information from a production network as first traffic information and communicates the first traffic information in the hyper-scale monitoring fabric. The first traffic information is communicated to a controller computer that configures the hyper-scale monitoring fabric. The system receives a duplicate of a second portion of the traffic information from the production network as second traffic information. The system forwards the second traffic information to a tool farm.

Abstract: Systems and methods to optimize processing of service in-line chain traffic are described. The system generates a program comprised of a first plurality of instructions, the first plurality of instructions being utilized to process traffic information that is being received from a first network and communicated to a second network. The traffic information including a plurality of flows of traffic information that is associated with a plurality of in-line services that is associated with a plurality of in-line service systems that are logically interposed between the first network and the second network with a ternary content-addressable memory (TCAM) that executes the plurality of instructions to forward the plurality of flows of traffic information. Next the system executes the first plurality of instructions with the TCAM.

Abstract: The controller may include a switch modeling interface that maintains switch models of switches in a network. The switch modeling interface may receive a desired network configuration from application modules that respond to network events. The switch modeling interface may compare the desired network configuration with the current network configuration represented by the switch models. The switch modeling interface may generate control messages to the switches for only identified differences between the desired network configuration and the current network configuration as identified by the switch models. The differences may be identified based on digest values retrieved from the switches. The switch modeling interface may determine whether the control messages were successfully received and processed by a switch and may indicate success or failure to the application module that provided the desired network configuration.

Abstract: A controller may control switches such as physical and software switches in a network. The controller may generate virtual switches from groups of end hosts in forming a virtual network topology. The controller may receive one or more network policy rules that govern network traffic through the switches. For a given network policy rule, the controller may perform a test in determining whether the network satisfies the network policy rule. The test may be performed based on a testing rule identifying test parameters and expected test results. The controller may perform tests in determining whether the network satisfies the testing rule and the corresponding network policy rule. The tests may be performed via simulation at the controller or by injecting a tagged test packet into the network.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts that are coupled to the forwarding network. An analysis network may be connected to the forwarding network. A controller may control the switches in the forwarding network to implement desired forwarding paths. The controller may configure the switches to form switch port groups. The controller may identify a port group that is connected to the analysis network. The controller may select a subset of the forwarded packets and may control selected switches to copy the subset to the identified port group. The controller may establish network tunnels between the switches and the port group. In this way, the controller may control the switches to perform efficient traffic monitoring regardless of the location on the forwarding network at which the traffic monitoring network is connected and without interfering with normal packet forwarding operations through the forwarding network.

Abstract: A controller implemented on computing equipment may control switches in a network. The controller may provide flow tables that implement network policies to the switches to control packet forwarding through the network. The controller may provide debug table entries to the switches for use in a debug table that is separate from the flow table. The debug table entries may match incoming network packets and increment corresponding counters on the switches. The controller may retrieve count information from the counters for performing debugging operations on the network. For example, the controller may identify conflicts between fields of a selected flow table entry, determine whether elephant packet flows are present between switches, determine whether desired load balancing is being performed, determine whether a network path has changed, determine whether packet loss has occurred, and/or determine whether network packets are taking undesired paths based on the retrieved count information.

Abstract: A packet forwarding network may include switches that forward network traffic between end hosts and network tap devices that forward copied network traffic to an analysis network formed from client switches that are controlled by a controller. Network analysis devices and network service devices may be coupled to the client switches at interfaces of the analysis network. The controller may receive one or more network policies from a network administrator. A network policy may identify ingress interfaces, egress interfaces, matching rules, packet manipulation services to be performed. The controller may control the client switches to generate network paths that forward network packets that match the matching rules from the ingress interfaces to the egress interfaces through service devices that perform the services of the list. The controller may generate network paths for network policies based on network topology information and/or current network conditions maintained at the controller.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery cable, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.

Abstract: First and second controllers implemented on computing equipment may be used to control switches in a network. The switches may forward network packets between end hosts. The second controller may identify first and second redundant partitions of switches in the network that are each coupled to all of the end hosts. The first controller may instruct the first partition to install software while the second partition forwards network traffic and may instruct the second partition to install software while the first partition forwards network traffic. The first controller may install the software while the second controller is active and the second controller may install the software while the first controller is active. In this way, the switches and controllers may be provided with an uninterrupted software upgrade and packets may be forwarded between end hosts during the software upgrade without introducing packet loss or other noticeable reductions in network performance.

Abstract: A controller implemented on computing equipment may be used to control switches in a network. End hosts and service devices may be coupled to the switches in the network. The controller may generate a virtual network topology of virtual switches and virtual routers. The controller may control the virtual routers and/or virtual switches to perform service insertion. The controller may perform service insertion by controlling the virtual routers and/or virtual switches to redirect network traffic through one or more selected service devices. The controller may determine which network traffic is to be redirected to which service devices based on a service insertion policy that identifies network traffic and services to be performed on the network traffic.

Abstract: A controller may be used to control client switches in a network that includes non-client, switches. The controller may form client domains from groups of client switches that are separated by intervening non-client domains formed from non-client switches. The controller may determine a network domain topology from the client domains and non-client domains. The controller may determine a spanning tree that interconnects the nodes of the network domain topology. The controller may control client switches of the client domains to allow only network traffic between the client domains and the non-client domains along the spanning tree. The controller may use the network domain topology to generate inter-domain forwarding maps. The inter-domain forwarding maps may be used to determine network forwarding paths between end hosts in the network.

Abstract: A controller may control client switches in a network including client and non-client switches. The controller may maintain a link discovery table including entries that identify links between client switches. The controller may classify the links as direct or broadcast links. To classify links of the link discovery table, the controller may direct client switches to send broadcast and directed discovery packets from switch ports. Client switches that receive the discovery packets from other client switches may forward the discovery packets to the controller. The controller may use the discovery packets to classify the links of the link discovery table. The controller may classify ports as broadcast or regular ports based on the classified links. Non-client broadcast domains of the network topology may be identified from the broadcast ports using the broadcast and direct links of the link discovery table.