Abstract: A method and system for maintaining persistent network policies for a virtual machine (VM) that includes determining a name of the VM executing on a first host connected to a first network device; binding the name of the VM to a network policy for the VM on the first network device; acquiring from VM management software, using the name of the VM, a universally unique identifier (UUID) of the VM; associating the UUID to the network policy on the first network device; applying the network policy for the VM on the first network device; subscribing to receive notifications from the VM management software of changes to the configuration of the VM corresponding to the UUID; receiving notification from the VM management software of a configuration change made to the VM corresponding to the UUID; and updating the network policy of the VM to reflect the configuration change of the VM.

Abstract: A method for managing a network includes obtaining network flow data corresponding to a network device in the network, determining, based on the network flow data, configuration coverage associated with forwarding control configuration of the network device, identifying, using the configuration coverage and the forwarding control configuration, non-coverage, generating a plurality of synthetic packets based on the non-coverage, transmitting the plurality of synthetic packets to the network device, obtaining a set of results associated with the plurality of synthetic packets, making a determination, based on the set of results, that the network device is not implementing at least a portion of the non-coverage correctly, and based on the determination, performing a remediation action on the network device.

Abstract: Packets in a network may be dropped from time to time. Although network devices are able to provide counters specifying the number of dropped packets, these network devices are unable to provide additional context about the dropped packets. However, users of a network wish to know more about dropped packets; such as why the packets were dropped. Therefore, methods for capturing and storing the dropped packets are provided. This way, users can analyze the dropped packets to determine why these packets were dropped.

Abstract: A method for remotely configuring a network device using a user device and a network management service is provided. The user device includes a first communication interface and a second communication interface, and the method includes: initiating, by the user device, a communication channel with the network device using the second communication interface; after the communication channel is established: obtaining, by the user device via the first communication interface, configuration information for the network device from the network management service; and sending, by the user device, the configuration information to the network device via the communication channel. The user device is in communication with the network management service via the first communication interface, and the user device is configured as a pass-through device that relays the configuration information from the network management service to the network device.

Abstract: A method and system for enforcing network topology. The method includes receiving, at a first port on a first switch, a second role associated with a second switch, where the second switch is connected to the first switch using the first port, and where the first switch is associated with a first role. The method further includes making a first determination, using the first role, the second role, and a network topology policy, that the first switch should not be connected to the second switch. Sending, in response to the first determination, a first alert to an alert recipient, where the first alert specifies that the first switch is improperly connected to the second switch.

Abstract: A method and system for enforcing network topology. The method includes receiving, at a first port on a first switch, a second role associated with a second switch, where the second switch is connected to the first switch using the first port, and where the first switch is associated with a first role. The method further includes making a first determination, using the first role, the second role, and a network topology policy, that the first switch should not be connected to the second switch. Sending, in response to the first determination, a first alert to an alert recipient, where the first alert specifies that the first switch is improperly connected to the second switch.

Abstract: A method and system for maintaining persistent network policies for a virtual machine (VM) that includes determining a name of the VM executing on a first host connected to a first network device; binding the name of the VM to a network policy for the VM on the first network device; acquiring from VM management software, using the name of the VM, a universally unique identifier (UUID) of the VM; associating the UUID to the network policy on the first network device; applying the network policy for the VM on the first network device; subscribing to receive notifications from the VM management software of changes to the configuration of the VM corresponding to the UUID; receiving notification from the VM management software of a configuration change made to the VM corresponding to the UUID; and updating the network policy of the VM to reflect the configuration change of the VM.

Abstract: A method and system for maintaining persistent network policies for a virtual machine (VM) that includes determining a name of the VM executing on a first host connected to a first network device; binding the name of the VM to a network policy for the VM on the first network device; acquiring from VM management software, using the name of the VM, a universally unique identifier (UUID) of the VM; associating the UUID to the network policy on the first network device; applying the network policy for the VM on the first network device; subscribing to receive notifications from the VM management software of changes to the configuration of the VM corresponding to the UUID; receiving notification from the VM management software of a configuration change made to the VM corresponding to the UUID; and updating the network policy of the VM to reflect the configuration change of the VM.

Abstract: A method for determining that a defect applies to a network device that includes receiving, at a monitoring module, network device information from the network device. The network device information includes state information for the network device and does not include hardware and software version information. The method includes storing, in a network device database, the network device information from the network device and receiving, at the monitoring module, defect information about a defect. The defect information includes network device criteria specifying what state information is required for a network device to be affected by the defect. The method includes storing the defect information in a defect database, determining that the defect applies to the network device based on analyzing the network device information and the defect information from their respective databases, and, based on the determination, informing a defect alert recipient that the defect applies to the network device.

Abstract: A method and system for enforcing network topology. The method includes receiving, at a first port on a first switch, a second role associated with a second switch, where the second switch is connected to the first switch using the first port, and where the first switch is associated with a first role. The method further includes making a first determination, using the first role, the second role, and a network topology policy, that the first switch should not be connected to the second switch. Sending, in response to the first determination, a first alert to an alert recipient, where the first alert specifies that the first switch is improperly connected to the second switch.

Abstract: A method and system for enforcing network topology. The method includes receiving, at a first port on a first switch, a second role associated with a second switch, where the second switch is connected to the first switch using the first port, and where the first switch is associated with a first role. The method further includes making a first determination, using the first role, the second role, and a network topology policy, that the first switch should not be connected to the second switch. Sending, in response to the first determination, a first alert to an alert recipient, where the first alert specifies that the first switch is improperly connected to the second switch.

Abstract: A method and system for applying a network policy in a virtual extensible local area network (VXLAN) environment. The method includes receiving, at a network device, a VXLAN frame that includes a source VXLAN network identifier (VNI). The network device includes a first network policy. The method also includes examining the VXLAN frame to determine the source VNI; obtaining, based on the source VNI, the first network policy; and processing the VXLAN frame based on the application of the first network policy.

Abstract: A method and system for securing a VXLAN environment, including configuring a default network policy, associated with interfaces of the network device, for dropping all VXLAN frames including a VXLAN attribute; obtaining, by the network device, registered VTEP identifiers; determining, using the registered VTEP identifiers, that an interface of the network device is operatively connected to a registered VTEP associated with a registered VTEP identifier; disassociating the default network policy from the interface based on the determination; receiving, at the interface, a frame; performing a first verification that the frame is a VXLAN frame by examining the frame to determine that the frame includes the VXLAN attribute; performing a second verification to determine that the VXLAN frame includes a registered VTEP identifier; allowing, based on the first verification and the second verification, the network device to process the VXLAN frame; and processing the VXLAN frame.

Abstract: A non-transitory computer readable medium includes instructions, which, when executed by a processor, perform a method on a network device. The method includes receiving, from a configuration server, a master configuration script that includes an instruction set, a network topology for network devices, and a dictionary. The dictionary includes network device specific configuration scripts for the network devices. The method also includes executing the instruction set on the network device to configure the network device.

Abstract: An adjunct network device includes several ports, an uplink interface, and an adjunct forwarding engine coupled to the ports and the uplink interface. A first port is configured to receive a packet, which includes a destination address. The adjunct forwarding engine is configured to send the packet to the uplink interface if the destination address is not associated with any of the ports. The packet is sent to one of the ports if the destination address is associated with the one of the ports.

Abstract: A system and method for route health injection using virtual tunnel endpoints. The method includes detecting, by a virtual tunnel endpoint (VTEP), that a new host is connected to the VTEP, where the VTEP is executing on the network device. The method further includes, based on the detecting, generating by the VTEP, a new route for the new host, where the new route is at least a longer match for the new host than currently existing routes for the new host, and providing the new route to a default gateway for the new host.

Abstract: A method and system for securing a VXLAN environment, including configuring a default network policy, associated with interfaces of the network device, for dropping all VXLAN frames including a VXLAN attribute; obtaining, by the network device, registered VTEP identifiers; determining, using the registered VTEP identifiers, that an interface of the network device is operatively connected to a registered VTEP associated with a registered VTEP identifier; disassociating the default network policy from the interface based on the determination; receiving, at the interface, a frame; performing a first verification that the frame is a VXLAN frame by examining the frame to determine that the frame includes the VXLAN attribute; performing a second verification to determine that the VXLAN frame includes a registered VTEP identifier; allowing, based on the first verification and the second verification, the network device to process the VXLAN frame; and processing the VXLAN frame.

Abstract: A method for maintaining a switch. The method includes identifying a first phase to enter in a boot-up process for the switch, where the boot-up process includes a number of phases and the first phase is one of the phases. The method further includes determining a phase exit condition from a first snapshot of the switch, where the first snapshot includes state information for each of the of phases. The method further includes transitioning to the first phase and after transitioning to the first phase: starting a first countdown timer for the first phase, and executing, on the switch, a first networking protocol for the first phase. The method further includes determining, in response to the executing, that a first current state of the switch satisfies the phase exit condition, and exiting the first phase, where the first countdown timer is not expired when exiting the first phase.

Abstract: A method and system for securing a VXLAN environment, including configuring a default network policy, associated with interfaces of the network device, for dropping all VXLAN frames including a VXLAN attribute; obtaining, by the network device, registered VTEP identifiers; determining, using the registered VTEP identifiers, that an interface of the network device is operatively connected to a registered VTEP associated with a registered VTEP identifier; disassociating the default network policy from the interface based on the determination; receiving, at the interface, a frame; performing a first verification that the frame is a VXLAN frame by examining the frame to determine that the frame includes the VXLAN attribute; performing a second verification to determine that the VXLAN frame includes a registered VTEP identifier; allowing, based on the first verification and the second verification, the network device to process the VXLAN frame; and processing the VXLAN frame.

Abstract: A method for maintaining a switch. The method includes identifying a first phase to enter in a boot-up process for the switch, where the boot-up process includes a number of phases and the first phase is one of the phases. The method further includes determining a phase exit condition from a first snapshot of the switch, where the first snapshot includes state information for each of the of phases. The method further includes transitioning to the first phase and after transitioning to the first phase: starting a first countdown timer for the first phase, and executing, on the switch, a first networking protocol for the first phase. The method further includes determining, in response to the executing, that a first current state of the switch satisfies the phase exit condition, and exiting the first phase, where the first countdown timer is not expired when exiting the first phase.