Abstract: One aspect of the present technology can provide a system for facilitating in-service software upgrade (ISSU) for a switch in a virtual switching stack. During operation, the system can initiate ISSU that facilitate uninterrupted traffic flow. The system can upgrade a first set of daemons of the switch that manage operations of the switch. The system can also upgrade a database stored on the switch. The database can store operational information of the switch. The system can further upgrade a second set of daemons of the switch that configure forwarding information on the forwarding hardware of the switch and facilitate data-plane operations for the switch. The forwarding information configured on the forwarding hardware can remain unchanged during the upgrade. The system can configure the upgraded second set of daemons to obtain control-plane information from a standby switch of a conductor switch of the virtual switching stack.

Abstract: A member switch of multiple connected switches receives a stack-discovery packet from a first coupled switch and, in response, generates and transmits a stack-discovery-response packet to the first coupled switch to allow the member switch to be discovered. The member switch receives stack-configuration information from a stack-control node and forwards the stack-discovery packet to a second coupled switch to facilitate discovery of the second coupled switch. The first coupled switch, the member switch, and the second coupled switch are coupled to each other according to a predetermined order, thereby facilitating an ordered discovery of the multiple connected switches. In response to receiving, from the stack-control node, a control packet, the member switch reboots based on the received stack-configuration information.

Abstract: A member switch of multiple connected switches receives a stack-discovery packet from a first coupled switch and, in response, generates and transmits a stack-discovery-response packet to the first coupled switch to allow the member switch to be discovered. The member switch receives stack-configuration information from a stack-control node and forwards the stack-discovery packet to a second coupled switch to facilitate discovery of the second coupled switch. The first coupled switch, the member switch, and the second coupled switch are coupled to each other according to a predetermined order, thereby facilitating an ordered discovery of the multiple connected switches. In response to receiving, from the stack-control node, a control packet, the member switch reboots based on the received stack-configuration information.

Abstract: Example approaches for authenticating a device are described. In an example, a category, from a plurality of categories, is identified for a device, based on data packets exchanged between the device and a network element. The category is indicative of operational capabilities of the device. Based on the category identified for the device, an authentication order for the device is determined. The authentication order is indicative of a sequence in which a set of authentication tests is to be executed for authentication of the device.

Abstract: Examples herein are directed to centralized database based multicast converging. For instance, in various examples centralized database based multicast converging can include starting a restart timer having a value greater than a time to validate stored entries in a centralized database, sending data packets at least to hosts on the network corresponding to the stored entries in the centralized database to maintain service to the hosts while the restart timer is running, sending query packets to validate a host corresponding to an entry of the stored entries in the centralized database, and responsive to the restart timer expiring, sending data packets to a converged group of hosts including at least the validated host.

Abstract: Example approaches for authenticating a device are described, In an example, a category, from a plurality of categories, is identified for a device, based on data packets exchanged between the device and a network element. The category is indicative of operational capabilities of the device. Based on the category identified for the device, an authentication order for the device is determined. The authentication order is indicative of a sequence in which a set of authentication tests is to be executed for authentication of the device.

Abstract: Examples disclosed herein relate to use of MACsec to encrypt tunnel data packets. In an example, a MACsec capable device may receive a data packet from a host device for tunneling to a controller. MACsec capable device may encapsulate the data packet with an encapsulation header to generate an encapsulated data packet. The encapsulation header may comprise a destination MAC address reserved for the controller. MACsec capable device may direct the encapsulated data packet to a MACsec engine. MACsec engine may encrypt the encapsulated data packet with the encryption key to generate an encrypted data packet. MACsec capable device may encapsulate the encrypted data packet with a first GRE header. MACsec capable device may send the encrypted data packet with the first GRE header to the controller via a GRE tunnel.

Abstract: A system and method authenticating a client device transmitting a request to access a network that includes an authentication server to implement an authentication protocol for access to the network, and an authenticator to transmit identity credentials of the client device using the authentication protocol to the authentication server to perform authentication of the client device at the authentication server. The authenticator downloads credentials of the authenticated client device from the authentication server, determines, during a re-authentication period, whether the authentication server is available, and performs re-authentication of the client device using the downloaded credentials when the authentication server is determined not to be available.

Abstract: Some examples relate to auto-configuration of a parameter related to a multicast protocol on a network device. In an example, a network device in a multicast network may identify the network topology of the multicast network. Upon identification, the network device may enable a multicast protocol on the network device based on the network topology of the multicast network. The network device may determine a network parameter related to the multicast network. In response to the determination, a multicast parameter related to the multicast protocol may be auto-configured on the network device.

Abstract: Some examples relate to managing multicast scaling. In an example, a determination may be made at a network device whether more than a pre-defined percentage of ports of a virtual LAN (VLAN) are associated with an IP multicast group. In response to the determination that more than a pre-defined percentage of ports on the VLAN are associated with the IP multicast group, a flood filter may be programmed on the network device for the VLAN. A hardware filter previously associated with the IP multicast group may be disassociated.

Abstract: Examples disclosed herein relate to providing a failover in a MACsec capable device. In an example, a determination may be made on a Media Access Control (MAC) Security (MACsec) capable device, whether a primary management engine that manages a protocol related to MACsec standard on the MACsec capable device has failed. In response to a determination that the primary management engine has failed, a secondary management engine in the MACsec capable device may create a Connectivity Association (CA) between the MACsec capable device and a peer MACsec capable device by performing an IEEE 802.1X re-authentication with the peer MACsec capable device within MACsec Key Agreement (MKA) lifetime. The MKA lifetime may refer to a period during which no MACsec Key Agreement Protocol Data Unit (MKPDU) is received by the peer MACsec capable device from the MACsec capable device.

Abstract: A system and device for determining authenticity of a client device transmitting a request to access a network that includes an authenticator to adjust authentication parameters for authentication requests to access a network from a client device, and access switches positioned within the authentication, each of the plurality of switches having an associated port for receiving the authentication requests. The authenticator monitors authentication requests received from the client device, determines whether a number of the monitored authentication requests that are failed authentication requests, and determines mobility of the client device during the monitored authentication requests. Authenticity of the client device is determined based on one of the determined number of failed authentication requests and the determined mobility of the client device.

Abstract: Examples disclosed herein relate to use of MACsec to encrypt tunnel data packets. In an example, a MACsec capable device may receive a data packet from a host device for tunneling to a controller. MACsec capable device may encapsulate the data packet with an encapsulation header to generate an encapsulated data packet. The encapsulation header may comprise a destination MAC address reserved for the controller. MACsec capable device may direct the encapsulated data packet to a MACsec engine. MACsec engine may encrypt the encapsulated data packet with the encryption key to generate an encrypted data packet. MACsec capable device may encapsulate the encrypted data packet with a first GRE header. MACsec capable device may send the encrypted data packet with the first GRE header to the controller via a GRE tunnel.

Abstract: Examples herein are directed to centralized database based multicast converging. For instance, in various examples centralized database based multicast converging can include starting a restart timer having a value greater than a time to validate stored entries in a centralized database, sending data packets at least to hosts on the network corresponding to the stored entries in the centralized database to maintain service to the hosts while the restart timer is running, sending query packets to validate a host corresponding to an entry of the stored entries in the centralized database, and responsive to the restart timer expiring, sending data packets to a converged group of hosts including at least the validated host.

Abstract: Some examples relate to auto-configuration of a parameter related to a multicast protocol on a network device. In an example, a network device in a multicast network may identify the network topology of the multicast network. Upon identification, the network device may enable a multicast protocol on the network device based on the network topology of the multicast network. The network device may determine a network parameter related to the multicast network. In response to the determination, a multicast parameter related to the multicast protocol may be auto-configured on the network device.

Abstract: Examples disclosed herein relate to providing a failover in a MACsec capable device. In an example, a primary management engine that runs a protocol of MACsec standard in a MACsec capable device may determine whether a parameter related to a protocol of MACsec standard on the MACsec capable device has changed. In response to the determination that the parameter has changed, primary management engine may synchronize data related to the parameter to a secondary management engine, which acts as a failover component for the primary management engine. In response to a determination that the primary management engine has failed, secondary management engine may recreate the latest state of the protocol of MACsec standard in the MACsec capable device prior to the failure of the primary management engine, based on the data related to the parameter.

Abstract: Provided is a method of discovering multicast group memberships in a software defined network. A multicast group membership query message is sent only to a selected network device in the network. The network device forwards the multicast group membership query message to a host computer system connected to the network device and recognizes a multicast group membership request from the host computer system in response to the group membership query message.

Abstract: A method for locating a fault in a communications network includes modifying the time-to-live (TTL) value in an Internet Protocol header of a data packet and transmitting the data packet through the communications network. The method continues with receiving a TTL-exceeded message from a routing element in the communications network and modifying the time-to-live value in the Internet protocol header of a second data packet, wherein the time-to-live value corresponds to a second hop count, the second hop count corresponding to the number of hops from the transmitting server to a second one of the plurality of routing elements in the communications network.