Abstract: Methods, systems, and computer programs are presented for creating a secure network fabric and for adding trusted devices to an existing secure network fabric. One method includes an operation for setting a switch into a provisioning mode where the switch does not enforce secure communications. While the switch is in provisioning mode, the method performs operations including establishing a connection from the switch to a provisioning controller, sending a certificate signing request (CSR) from the switch to the provisioning controller, and receiving, from the provisioning controller, a security certificate generated by a certificate authority. The method further includes an operation for entering a lockdown mode by the switch after receiving the security certificate, where the switch, while in lockdown mode, secures communications utilizing the security certificate.

Abstract: The controller may include a switch modeling interface that maintains switch models of switches in a network. The switch modeling interface may receive a desired network configuration from application modules that respond to network events. The switch modeling interface may compare the desired network configuration with the current network configuration represented by the switch models. The switch modeling interface may generate control messages to the switches for only identified differences between the desired network configuration and the current network configuration as identified by the switch models. The differences may be identified based on digest values retrieved from the switches. The switch modeling interface may determine whether the control messages were successfully received and processed by a switch and may indicate success or failure to the application module that provided the desired network configuration.

Abstract: Methods, systems, and computer programs are presented for creating a secure network fabric and for adding trusted devices to an existing secure network fabric. One method includes an operation for setting a switch into a provisioning mode where the switch does not enforce secure communications. While the switch is in provisioning mode, the method performs operations including establishing a connection from the switch to a provisioning controller, sending a certificate signing request (CSR) from the switch to the provisioning controller, and receiving, from the provisioning controller, a security certificate generated by a certificate authority. The method further includes an operation for entering a lockdown mode by the switch after receiving the security certificate, where the switch, while in lockdown mode, secures communications utilizing the security certificate.

Abstract: First and second controllers implemented on computing equipment may be used to control switches in a network. The switches may forward network packets between end hosts. The second controller may identify first and second redundant partitions of switches in the network that are each coupled to all of the end hosts. The first controller may instruct the first partition to install software while the second partition forwards network traffic and may instruct the second partition to install software while the first partition forwards network traffic. The first controller may install the software while the second controller is active and the second controller may install the software while the first controller is active. In this way, the switches and controllers may be provided with an uninterrupted software upgrade and packets may be forwarded between end hosts during the software upgrade without introducing packet loss or other noticeable reductions in network performance.

Abstract: First and second controllers implemented on computing equipment may be used to control switches in a network. The switches may forward network packets between end hosts. The second controller may identify first and second redundant partitions of switches in the network that are each coupled to all of the end hosts. The first controller may instruct the first partition to install software while the second partition forwards network traffic and may instruct the second partition to install software while the first partition forwards network traffic. The first controller may install the software while the second controller is active and the second controller may install the software while the first controller is active. In this way, the switches and controllers may be provided with an uninterrupted software upgrade and packets may be forwarded between end hosts during the software upgrade without introducing packet loss or other noticeable reductions in network performance.

Abstract: A method and system of analyzing a network to identify a network defect allows user selection of traffic subset to be recorded. After recording the selected traffic subset of the network traffic during network operation, the recorded traffic is then replayed at least in part to the network to replicate, and thus assist in identifying, the network defect.

Abstract: A method and system of analyzing a network to identify a network defect allows user selection of traffic subset to be recorded. After recording the selected traffic subset of the network traffic during network operation, the recorded traffic is then replayed at least in part to the network to replicate, and thus assist in identifying, the network defect.