Abstract: Some embodiments of the invention provide a novel network architecture for deploying guest clusters (GCs) including workload machines for a tenant (or other entity) within an availability zone. The novel network architecture includes a virtual private cloud (VPC) deployed in the availability zone (AZ) that includes a centralized routing element that provides access to a gateway routing element of the AZ. In some embodiments, the centralized routing element provides a set of services for packets traversing a boundary of the VPC. The services, in some embodiments, include load balancing, firewall, quality of service (QoS) and may be stateful or stateless. Guest clusters are deployed within the VPC and use the centralized routing element of the VPC to access the gateway routing element of the AZ.

Abstract: Some embodiments of the invention provide a novel network architecture for deploying guest clusters (GCs) including workload machines for a tenant (or other entity) within an availability zone. The novel network architecture includes a virtual private cloud (VPC) deployed in the availability zone (AZ) that includes a centralized routing element that provides access to a gateway routing element of the AZ. In some embodiments, the centralized routing element provides a set of services for packets traversing a boundary of the VPC. The services, in some embodiments, include load balancing, firewall, quality of service (QoS) and may be stateful or stateless. Guest clusters are deployed within the VPC and use the centralized routing element of the VPC to access the gateway routing element of the AZ.

Abstract: Example methods and systems for managing interconnection of virtual network functions are disclosed. Example methods disclosed herein include, in response to a trigger event indicating detection of an interface, obtaining a virtual network domain template corresponding to a virtual network domain to be configured, the virtual network domain template identifying one or more virtual network functions and one or more interfaces, at least some of the virtual network functions being connected together through one or more links. Disclosed example methods further include configuring and provisioning the virtual network domain to contain the interface using the virtual network domain template and properties of the interface to enable the interface to send information in the virtual network domain.

Abstract: A method and apparatus is disclosed herein for use of a connectivity manager and a network infrastructure including the same. In one embodiment, the network infrastructure comprises one or more physical devices communicably coupled into a physical network infrastructure or via the overlay provided by the physical servers; and a virtual network domain containing a virtual network infrastructure executing on the physical network infrastructure. In one embodiment, the virtual network domain comprises one or more virtual network functions connected together through one or more links and executing on the one or more physical devices, and one or more interfaces coupled to one or more network functions via one or more links to communicate data between the virtual network domain and at least one of the one or more physical devices of the physical network infrastructure while the virtual network domain is isolated from other virtual infrastructures executing on the physical network infrastructure.

Abstract: A method and apparatus is disclosed herein for use of a connectivity manager and a network infrastructure including the same. In one embodiment, the network infrastructure comprises one or more physical devices communicably coupled into a physical network infrastructure or via the overlay provided by the physical servers; and a virtual network domain containing a virtual network infrastructure executing on the physical network infrastructure. In one embodiment, the virtual network domain comprises one or more virtual network functions connected together through one or more links and executing on the one or more physical devices, and one or more interfaces coupled to one or more network functions via one or more links to communicate data between the virtual network domain and at least one of the one or more physical devices of the physical network infrastructure while the virtual network domain is isolated from other virtual infrastructures executing on the physical network infrastructure.

Abstract: A method and apparatus is disclosed herein for use of a connectivity manager and a network infrastructure including the same. In one embodiment, the network infrastructure comprises one or more physical devices communicably coupled into a physical network infrastructure or via the overlay provided by the physical servers; and a virtual network domain containing a virtual network infrastructure executing on the physical network infrastructure. In one embodiment, the virtual network domain comprises one or more virtual network functions connected together through one or more links and executing on the one or more physical devices, and one or more interfaces coupled to one or more network functions via one or more links to communicate data between the virtual network domain and at least one of the one or more physical devices of the physical network infrastructure while the virtual network domain is isolated from other virtual infrastructures executing on the physical network infrastructure.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for supporting a large number of virtual local area networks (VLANS) in a bridged network. Packets are received that include 802.1Q Virtual Local Area Network (VLAN) identifiers (VIDs). However, rather than accessing the VLAN forwarding information directly based on the VID as conventionally performed, the VLAN forwarding information to use for a particular packet is determined based on an interface (e.g., virtual or physical interface, port, MPLS label, GRE tunnel or other abstraction of the interface). In other words, the interface associated with the packet identifies a context for determining the VLAN forwarding information based on the VID included in the packet. Therefore, network bridging devices can support more VLANs than that imposed by the 4096 possible values of a VID.

Abstract: A method, system, and apparatus to transmit replicated multicast packets over a plurality of physical network links that are combined into one logical channel or link so that the replicated multicast packets are distributed over more than one network link is disclosed. It is further disclosed that distribution over the network links is accomplished, in part, through analyzing the multicast packet for information other than ethernet addresses. Such information can include a tag header including destination interface information.

Abstract: Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.

Abstract: A mechanism for a network device to constrain multicast flooding of out-of-profile multicast frames is provided by defining a multicast flood domain that includes a subset of ports that are members of the broadcast domain. Such a multicast flood domain can be user configured or dynamically configured to include device ports that are coupled to network elements that should receive such out-of-profile multicast transmissions and exclude network elements that should not receive such multicast transmissions. In one embodiment of the present invention, such capability is provided by incorporating into a network device a mechanism for performing a multicast flood domain lookup of an address table in the event that an out-of-profile multicast frame is received.

Abstract: A method, system, and computer program product are presented to optimize OSI Level 2 switch forwarding of frames comprising IP addresses, 802.1 QinQ VLAN identifiers, multi-protocol label switching labels, and any other usable information meaningful to derive an L2 forwarding result on frames. In one embodiment, a 16-bit key is included as a prefix to a 48-bit OSI Level 2 address entry, thereby allowing the inclusion of a 32-bit OSI Level 3 address in the lookup table (e.g., a complete IP version 4 address). Implementations of such a solution are presented to resolve address aliasing issues experienced with multicast group destination addresses, including single source multicast. Solutions to optimizing forwarding of frames in an IEEE 802.1 QinQ environment are also presented. A result of these implementations can be reduction of the amount of unnecessary network traffic generated by a network switch incorporating such an OSI Level 2 address lookup table.

Abstract: Disclosed are, inter alia, methods, apparatus, data structures, computer-readable media, mechanisms, and means for supporting a large number of virtual local area networks (VLANS) in a bridged network. Packets are received that include 802.1Q Virtual Local Area Network (VLAN) identifiers (VIDs). However, rather than accessing the VLAN forwarding information directly based on the VID as conventionally performed, the VLAN forwarding information to use for a particular packet is determined based on an interface (e.g., virtual or physical interface, port, MPLS label, GRE tunnel or other abstraction of the interface). In other words, the interface associated with the packet identifies a context for determining the VLAN forwarding information based on the VID included in the packet. Therefore, network bridging devices can support more VLANs than that imposed by the 4096 possible values of a VID.

Abstract: Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.

Abstract: A mechanism for a network device to constrain multicast flooding of out-of-profile multicast frames is provided by defining a multicast flood domain that includes a subset of ports that are members of the broadcast domain. Such a multicast flood domain can be user configured or dynamically configured to include device ports that are coupled to network elements that should receive such out-of-profile multicast transmissions and exclude network elements that should not receive such multicast transmissions. In one embodiment of the present invention, such capability is provided by incorporating into a network device a mechanism for performing a multicast flood domain lookup of an address table in the event that an out-of-profile multicast frame is received.

Abstract: A method, system, and computer program product are presented to optimize OSI Level 2 switch forwarding of frames comprising IP addresses, 802.1 QinQ VLAN identifiers, multi-protocol label switching labels, and any other usable information meaningful to derive an L2 forwarding result on frames. In one embodiment, a 16-bit key is included as a prefix to a 48-bit OSI Level 2 address entry, thereby allowing the inclusion of a 32-bit OSI Level 3 address in the lookup table (e.g., a complete IP version 4 address). Implementations of such a solution are presented to resolve address aliasing issues experienced with multicast group destination addresses, including single source multicast. Solutions to optimizing forwarding of frames in an IEEE 802.1 QinQ environment are also presented. A result of these implementations can be reduction of the amount of unnecessary network traffic generated by a network switch incorporating such an OSI Level 2 address lookup table.