Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a network path having multiple hops associated with respective nodes which are configured in a forwarding mode. The system can traverse the network path to identify, for each node from the respective nodes, a respective next hop. Based on the respective next hop for each node, the system can determine whether two or more nodes from the respective nodes have a same respective next hop. When the two or more nodes have the same respective next hop, the system can determine that the network path has a network loop.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Systems, methods, and computer-readable media for preventing man-in-the-middle attacks within network, without the need to maintain trusted/un-trusted port listings on each network device. The solutions disclosed herein leverage a host database which can be present on controllers, thereby providing a centralized database instead of a per-node DHCP binding database. Systems configured according to this disclosure (1) use a flood list only for ARP packets received from the controller 116; and (2) unicast ARP packets to the controller before communicating the packets to other VTEPs.

Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a network path having multiple hops associated with respective nodes which are configured in a forwarding mode. The system can traverse the network path to identify, for each node from the respective nodes, a respective next hop. Based on the respective next hop for each node, the system can determine whether two or more nodes from the respective nodes have a same respective next hop. When the two or more nodes have the same respective next hop, the system can determine that the network path has a network loop.

Abstract: Systems, methods, and computer-readable storage media for detecting network loops. A system can identify, for each virtual tunnel endpoint (VTEP) from multiple VTEPs in a network, respective media access control address data including the respective local interface media access control addresses of the respective VTEP and respective media access control addresses learned by the respective VTEP. The system can determine whether the VTEPs are running spanning tree protocol (STP), and whether a media access control address learned by a first VTEP matches a respective local interface media access control address of a second VTEP. The system can detect a loop when the media access control address learned by the first VTEP matches the respective local interface media access control address of the second VTEP. The system can also detect a loop when the VTEPs are running STP and the first and second VTEPs see the same STP root bridge.

Abstract: Systems, methods, and non-transitory computer-readable storage media for detecting network loops. In some embodiments, a system can identify a port that is in a blocking state. The blocking state can be for dropping one or more types of packets and preventing the port from forwarding the one or more types of packets. The system can determine a number of packets transmitted through the port by a hardware layer on the system and a number of control packets transmitted through the port by a software layer on the system. The system can determine whether the number of packets is greater than the number of control packets. When the number of packets is greater than the number of control packets, the system can determine that the blocking state has failed to prevent the port from forwarding the one or more types of packets.

Abstract: Systems, methods, and computer-readable media for preventing man-in-the-middle attacks within network, without the need to maintain trusted/un-trusted port listings on each network device. The solutions disclosed herein leverage a host database which can be present on controllers, thereby providing a centralized database instead of a per-node DHCP binding database. Systems configured according to this disclosure (1) use a flood list only for ARP packets received from the controller 116; and (2) unicast ARP packets to the controller before communicating the packets to other VTEPs.

Abstract: Mechanisms for switch upgrades using remote containers. An example system can export, to a server, a state of software processes associated with a first software container at the system. The system can generate a lightweight software container configured to forward traffic associated with the first software container to a second software container at the server, generated based on the state. The system can perform a switchover between the first software container and lightweight software container. The switchover can enable the lightweight software container to forward, to the second container, traffic associated with the first software container. The system can generate a fourth software container based on a snapshot of the second software container, and perform another switchover between the lightweight software container and fourth software container.

Abstract: Mechanisms for switch upgrades using remote containers. An example system can export, to a server, a state of software processes associated with a first software container at the system. The system can generate a lightweight software container configured to forward traffic associated with the first software container to a second software container at the server, generated based on the state. The system can perform a switchover between the first software container and lightweight software container. The switchover can enable the lightweight software container to forward, to the second container, traffic associated with the first software container. The system can generate a fourth software container based on a snapshot of the second software container, and perform another switchover between the lightweight software container and fourth software container.

Abstract: Aspects of the present disclosure are directed to dynamically adjusting control plane policing throughput of low (or lower) priority control plane traffic to permit higher throughput. The drop rate for low or lower priority control plane traffic can be determined to be above a threshold value. The processor utilization can be determined to be operating under normal utilization (or at a utilization within a threshold utilization value). The control plane policing for control plane traffic for the low or lower class of service can be increased (or decreased) to permit lower class of service control traffic to be transmitted using higher class of service resources without adjusting the priority levels for the lower class of service control traffic.