Data centers, the critical infrastructure underpinning Cloud computing, often employ Software-Defined Networks (SDN) to manage cluster, wide-area and enterprise networks. As the network forwarding in SDN is dynamically programmed by controllers, it is crucial to ensure that the controller intent is correctly translated into underlying forwarding rules. Therefore, detecting and locating forwarding anomalies in SDN is a fundamental problem in production networks. Existing research proposals, roughly categorized into probing based, packet piggybacking based and flow statistics analysis based, either impose significant overhead or do not provide sufficient coverage for certain forwarding anomalies. In this paper, we propose FADE, a controllable and passive measuring scheme to simultaneously deliver detection efficiency and accuracy. FADE first analyzes the entire network topology and flow rules, and then computes a minimal set of flows that can cover all forwarding rules. For each selected network flow, FADE decides the optimal number of monitoring positions on its path (much less than total number of hops), and installs dedicated rules to collect flow statistics. FADE controls the installation and expiration of these rules, along with unique flow labels, to guarantee the accuracy of collected statistics, based on which FADE algorithmically decides whether a forwarding anomaly is detected, and if so it further locates the anomaly. On top of FADE, we propose iFADE (a more scalable version of FADE) to further optimize the usage and deployment of dedicated measurement rules. iFADE achieves over 40% rule reduction compared with FADE. We implement a prototype of both FADE and iFADE in about 12,000 lines of code and evaluate the prototype extensively. The experiment results demonstrate (i) FADE and iFADE are accurate, e.g., they achieve over 95% true positive rate and 99% true negative rate in anomaly detection; (ii) FADE and iFADE are lightweight, e.g., they reduce the overhead of control messages compared with state-of-the-art by about 50% and 90%, respectively. 1 Introduction Data centers are critical infrastructure underpinning the Cloud computing. Nowadays, production data centers often employ Software-Defined Networking (SDN) to manage both cluster networks [1], wide area networks [2], [3] and enterprise networks [4]. SDN adopts a new networking paradigm by separating the control plane from the data plane [5]. However, SDN itself does not ensure the flow rule consistency between what is intended in the control