Abstract: Methods and system for supporting multiple management interfaces using a network analytics engine. The network analytics engine can run on a core switch for performing data collection and monitoring of network traffic through the switch. The switch can receive a first list including a first set of network packet parameters for monitoring network traffic using certain monitoring criteria. Then, the switch can receive a second list including a second set of network packet parameters for monitoring network traffic in accordance using different monitoring criteria. The switch can generate a concatenated list including the first list and the single list to form a single set of packet parameters. Concatenation may be consistent with a determined sequential order and priorities assigned to the lists. The switch can be programmed with the concatenated list such that network monitoring is accomplished using both monitoring criteria, while only implemented a single concatenated list.

Abstract: A system for facilitating data transmission in a switch is provided. During operation, the system can obtain one or more sets of configuration parameters for a plurality of traffic policing filters of the switch. A respective traffic policing filter can correspond to a token bucket. A number of tokens in the token bucket can indicate whether to forward a packet associated with the traffic policing filter. The system can determine the token allocation frequencies for the plurality of traffic policing filters based on the one or more sets of configuration parameters. The system can then select a sampling interval from the token allocation frequencies based on a selection policy and determine a performance rate for the plurality of traffic policing filters based on the sampling interval.

Abstract: A system for facilitating data transmission in a switch is provided. During operation, the system can obtain one or more sets of configuration parameters for a plurality of traffic policing filters of the switch. A respective traffic policing filter can correspond to a token bucket. A number of tokens in the token bucket can indicate whether to forward a packet associated with the traffic policing filter. The system can determine the token allocation frequencies for the plurality of traffic policing filters based on the one or more sets of configuration parameters. The system can then select a sampling interval from the token allocation frequencies based on a selection policy and determine a performance rate for the plurality of traffic policing filters based on the sampling interval.

Abstract: Systems and methods are provided for minimizing traffic leaks during replacement of an access control list for a network interface. The method includes adding a blocking access control entry to an access control list for a network interface of a network switch, wherein the blocking entry causes the network interface to block traffic from passing through the network interface; removing one or more current access control entries from the access control list, except for the blocking entry, after adding the blocking entry to the access control list; adding one or more new access control entries to the access control list, without removing the blocking entry, after removing the one or more current access control entries from the access control list; and removing the blocking entry from the access control list after adding the one or more new access control entries to the access control list.

Abstract: Methods and system for supporting multiple management interfaces using a network analytics engine. The network analytics engine can run on a core switch for performing data collection and monitoring of network traffic through the switch. The switch can receive a first list including a first set of network packet parameters for monitoring network traffic using certain monitoring criteria. Then, the switch can receive a second list including a second set of network packet parameters for monitoring network traffic in accordance using different monitoring criteria. The switch can generate a concatenated list including the first list and the single list to form a single set of packet parameters. Concatenation may be consistent with a determined sequential order and priorities assigned to the lists. The switch can be programmed with the concatenated list such that network monitoring is accomplished using both monitoring criteria, while only implemented a single concatenated list.

Abstract: Methods and system for supporting multiple management interfaces using a network analytics engine. The network analytics engine can run on a core switch for performing data collection and monitoring of network traffic through the switch. The switch can receive a first list including a first set of network packet parameters for monitoring network traffic using certain monitoring criteria. Then, the switch can receive a second list including a second set of network packet parameters for monitoring network traffic in accordance using different monitoring criteria. The switch can generate a concatenated list including the first list and the single list to form a single set of packet parameters. Concatenation may be consistent with a determined sequential order and priorities assigned to the lists. The switch can be programmed with the concatenated list such that network monitoring is accomplished using both monitoring criteria, while only implemented a single concatenated list.

Abstract: Methods and system for supporting multiple management interfaces using a network analytics engine. The network analytics engine can run on a core switch for performing data collection and monitoring of network traffic through the switch. The switch can receive a first list including a first set of network packet parameters for monitoring network traffic using certain monitoring criteria. Then, the switch can receive a second list including a second set of network packet parameters for monitoring network traffic in accordance using different monitoring criteria. The switch can generate a concatenated list including the first list and the single list to form a single set of packet parameters. Concatenation may be consistent with a determined sequential order and priorities assigned to the lists. The switch can be programmed with the concatenated list such that network monitoring is accomplished using both monitoring criteria, while only implemented a single concatenated list.

Abstract: Systems and methods are provided for minimizing traffic leaks during replacement of an access control list for a network interface. The method includes adding a blocking access control entry to an access control list for a network interface of a network switch, wherein the blocking entry causes the network interface to block traffic from passing through the network interface; removing one or more current access control entries from the access control list, except for the blocking entry, after adding the blocking entry to the access control list; adding one or more new access control entries to the access control list, without removing the blocking entry, after removing the one or more current access control entries from the access control list; and removing the blocking entry from the access control list after adding the one or more new access control entries to the access control list.

Abstract: In some examples, a method includes determining a hash value for a received data packet, determining whether the determined hash value matches a hash value for an entry in a hash-to-port mapping table, determining whether a port mapping age associated with the matched entry satisfies an age criteria, and assigning a forwarding port for the received data packet based on the determination of whether the port mapping age associated with the matched entry satisfies the age criteria.

Abstract: Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.

Abstract: Sampling network traffic includes: loading a packet sampling module into a processor-based network device coupled to a network; determining with the packet sampling module if a network packet addressed to or from the network device is selected for sampling; and transmitting data from the network packet over the network to a monitoring device external to the network device if the network packet is selected for sampling.

Abstract: Methods, media, and computing devices for network security can include receiving flow sampled network traffic from multiple network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network monitoring computing device. Alternatively, a suspicious network activity list can be maintained for flow sampled network traffic having source and destination ports exceptional to the list of approved ports. Alternatively, a network administrator can be alerted when a port is added to the suspicious network activity list in response to a total number of ports in the suspicious network activity list exceeding a threshold number.