Predicting and mitigating layer-2 anomalies and instabilities

What is claimed is: 1 . A method, comprising: receiving, at a server, layer-2 topology information from a plurality of layer-2 switches; receiving, at the server, layer-2 telemetry information from the plurality of layer-2 switches; applying, by the server, behavioral learning to both the layer-2 topology information and the layer-2 telemetry information to detect layer-2 patterns that are indicative of one or more problematic layer-2 behaviors; creating, by the server based on the behavioral learning, predictive rules to be applied within layer-2 networks to predict the one or more problematic layer-2 behaviors; and using, by the server, the predictive rules within a particular layer-2 network to cause i) prediction of one or more particular problematic layer-2 behaviors within the particular layer-2 network based on data from a plurality of switches within the particular layer-2 network, and ii) mitigation against the predicted one or more particular problematic layer-2 behaviors within the particular layer-2 network. 2 . The method as in claim 1 , wherein using the predictive rules comprises: receiving, by the server, the data from the plurality of switches within the particular layer-2 network; predicting, by the server, the one or more particular problematic layer-2 behaviors within the particular layer-2 network based on the data and the predictive rules; and mitigating, by the server, against the predicted one or more particular problematic layer-2 behaviors. 3 . The method as in claim 1 , wherein using the predictive rules comprises: sending the predictive rules to a second server for the particular layer-2 network, wherein the second server receives the data from the plurality of switches within the particular layer-2 network, predicts the one or more particular problematic layer-2 behaviors within the particular layer-2 network based on the data and the predictive rules, mitigates against the predicted one or more particular problematic layer-2 behaviors. 4 . The method as in claim 1 , wherein the mitigation against the predicted one or more particular problematic layer-2 behaviors comprises one or more autonomous server-initiated layer-2 network changes. 5 . The method as in claim 1 , wherein problematic layer-2 behaviors are selected from a group consisting of: media access control (MAC) move; MAC flapping; non-legitimate users; MAC flooding; MAC stale entry; MAC spoofing; and layer-2 storms. 6 . The method as in claim 1 , wherein the layer-2 topology information is selected from a group consisting of: spanning tree state; port state; and connected devices. 7 . The method as in claim 1 , wherein the layer-2 telemetry information is selected from a group consisting of: local media access control (MAC) table information; changes to MAC table information; and event information related to changes to MAC table information. 8 . The method as in claim 1 , wherein receiving one or both of the layer-2 topology information and layer-2 topology information is based on one or both of a push model or pull model between the server and the plurality of layer-2 switches. 9 . The method as in claim 1 , further comprising: feeding virtual local area network (VLAN) information for the plurality of layer-2 switches into the behavioral learning. 10 . The method as in claim 1 , further comprising: feeding address resolution protocol (ARP) information for the plurality of layer-2 switches into the behavioral learning. 11 . The method as in claim 1 , further comprising: processing, prior to applying behavioral learning, one or both of the layer-2 topology information and layer-2 topology information to convert raw data into meaningful attributes for the behavioral learning. 12 . The method as in claim 1 , wherein the plurality of layer-2 switches are from a plurality of different layer-2 networks. 13 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a computer to execute a process comprising: receiving layer-2 topology information from a plurality of layer-2 switches; receiving layer-2 telemetry information from the plurality of layer-2 switches; applying behavioral learning to both the layer-2 topology information and the layer-2 telemetry information to detect layer-2 patterns that are indicative of one or more problematic layer-2 behaviors; creating, based on the behavioral learning, predictive rules to be applied within layer-2 networks to predict the one or more problematic layer-2 behaviors; and using the predictive rules within a particular layer-2 network to cause i) prediction of one or more particular problematic layer-2 behaviors within the particular layer-2 network based on data from a plurality of switches within the particular layer-2 network, and ii) mitigation against the predicted one or more particular problematic layer-2 behaviors within the particular layer-2 network. 14 . The computer-readable medium as in claim 13 , wherein using the predictive rules comprises: receiving the data from the plurality of switches within the particular layer-2 network; predicting the one or more particular problematic layer-2 behaviors within the particular layer-2 network based on the data and the predictive rules; and mitigating against the predicted one or more particular problematic layer-2 behaviors. 15 . The computer-readable medium as in claim 13 , wherein the process further comprises: processing, prior to applying behavioral learning, one or both of the layer-2 topology information and layer-2 topology information to convert raw data into meaningful attributes for the behavioral learning. 16 . The computer-readable medium as in claim 13 , wherein the mitigation against the predicted one or more particular problematic layer-2 behaviors comprises one or more autonomous server-initiated layer-2 network changes. 17 . The computer-readable medium as in claim 13 , wherein: the layer-2 topology information is selected from a group consisting of: spanning tree state; port state; and connected devices; and the layer-2 telemetry information is selected from a group consisting of: local media access control (MAC) table information; changes to MAC table information; and event information related to changes to MAC table information. 18 . The computer-readable medium as in claim 13 , wherein problematic layer-2 behaviors are selected from a group consisting of: media access control (MAC) move; MAC flapping; non-legitimate users; MAC flooding; MAC stale entry; MAC spoofing; and layer-2 storms. 19 . The computer-readable medium as in claim 13 , wherein receiving one or both of the layer-2 topology information and layer-2 topology information is based on one or both of a push model or pull model with the plurality of layer-2 switches. 20 . A method, comprising: sending, from a layer-2 switch, initial layer-2 topology information and initial layer-2 telemetry information to a server to cause the server to i) apply behavioral learning to both layer-2 topology information and layer-2 telemetry information from a plurality of layer-2 switches to detect layer-2 patterns that are indicative of one or more problematic layer-2 behaviors, and ii) create, based on the behavioral learning, predictive rules to be applied within layer-2 networks to predict the one or more problematic layer-2 behaviors; sending, from the layer-2 switch, subsequent layer-2 topology information and subsequent layer-2 telemetry information to the server t