Abstract: A virtual Internet Protocol (IP) address is assigned to a client device having a client IP address associated therewith. The virtual IP address is then mapped to the client IP address and to an identifier of a Secure Socket Layer (SSL) Virtual Private Network (VPN) tunnel. An incoming packet received through the SSL VPN tunnel and destined to a server device has the client IP address as its source address, which is in turn rewritten with the virtual IP address mapped to the client IP address, resulting in a modified incoming packet that is sent to the server device. An outgoing packet received from the server device for transmission to the client device has the virtual IP address as its destination address, which is in turn rewritten with the client IP address mapped to the virtual IP address, resulting in a modified outgoing packet that is forwarded into the tunnel.

Abstract: The devices, systems, and methods test network connectivity, where the physical network is used to provide one or more service chains connecting service appliances, including firewalls, intrusion detection systems, load balancers, network address translators, web servers, and so on. A service chain may involve multiple routing paths. The devices, systems, and methods test network connectivity test network connectivity by injecting customized echo request packets on each routing path and collecting customized echo reply packets in response. The customized echo reply packets are processed and aggregated to isolate network connectivity problems.

Abstract: Routers using virtual routing and forwarding nodes to implement a service fabric of service chains. The router may configure M+1 virtual routing and forwarding instances, M being an integer representing a number of a plurality of service appliances in a data center network. Each virtual routing and forwarding instance may be associated with a routing table of routing rules to define various service chain routing paths. The routing rules are based on destination addresses in data packets.

Abstract: A service description may be used in network virtualization in order to specify requirements of an application. In order to provide network virtualization for generic networking components, including legacy networking components, the service description is mapped to a logical network implementation and then subsequently mapped to a physical implementation.

Abstract: An embodiment method of loop suppression in a layer-two transit network with multiprotocol label switching (MPLS) encapsulation includes receiving a packet at a provider edge (PE) router for the layer-two transit network. The packet is stored in a non-transitory memory on the PE router. The packet is stored according to a packet data structure having an MPLS label field and a layer-two header. A time-to-live (TTL) attribute is then determined for the packet. The TTL attribute is written to the non-transitory memory in the MPLS label field. The packet is then routed according to information in the layer-two header.

Abstract: A network component including a receiver configured to receive a plurality of Internet Protocol (IP) addresses for a plurality of hosts in a plurality of external Layer 2 networks located at a plurality of physical locations and interconnected via a service, a logic circuit configured to map the IP addresses of the hosts in the external Layer 2 networks to a plurality of Media Access Control (MAC) addresses of a plurality of corresponding gateways in the same external Layer 2 networks, and a transmitter configured to send to the external Layer 2 networks a plurality of a plurality of IP addresses for a plurality of local hosts in a local Layer 2 network coupled to the external Layer 2 networks via the service.

Abstract: An embodiment method of loop suppression in a layer-two transit network with multiprotocol label switching (MPLS) encapsulation includes receiving a packet at a provider edge (PE) router for the layer-two transit network. The packet is stored in a non-transitory memory on the PE router. The packet is stored according to a packet data structure having an MPLS label field and a layer-two header. A time-to-live (TTL) attribute is then determined for the packet. The TTL attribute is written to the non-transitory memory in the MPLS label field. The packet is then routed according to information in the layer-two header.

Abstract: An apparatus comprising a service network and a plurality of Layer 2 networks at a plurality of different physical locations coupled to the service network via a plurality of edge nodes at the Layer 2 networks, wherein the edge nodes are configured to maintain a plurality of Internet Protocol (IP) addresses of a plurality of hosts across the Layer 2 networks, and wherein the IP addresses of the hosts in each of the Layer 2 networks are mapped by the other Layer 2 networks to a Media Access Control (MAC) address of each of the edge nodes in the same Layer 2 networks of the hosts.

Abstract: An alternate path calculation process may be terminated after considering some of a source node's neighbors and without considering each of its neighbors, to reduce the amount of processing required to perform the alternate path calculations. The neighbors may be ranked according to the number of alternate paths that the neighbor has historically been able to provide on the network. The influence of historical success or failure may degrade over time so that the rankings may be adjusted to reflect changes in network topography. A given source node, when computing alternate paths through the network, may preferentially select neighbors to perform alternate path calculations on historically higher scoring nodes before performing calculations on historically lower scoring nodes. Several different criteria may be used to stop the alternate path calculation process before considering all neighbors. The neighbors may be loop free neighbors or U-turn neighbors.

Abstract: Embodiments are provided herein for creating virtual networks with service chains, such as n-tier networks, in the cloud. In an embodiment, a network diagram for a virtual network is received from a user via a graphical user interface. The network diagram comprises elements that represent virtual or physical network components. The network components include switches, routers, firewalls, links, service appliances, virtual machines, servers, or other network components. Upon successfully validating the network diagram, via a validation step, the network diagram is compiled into application programming interface (API) calls ready for execution. The executed APIs are used to establish the virtual network on a physical network infrastructure. The virtual network comprises virtual network components corresponding to the elements or the network diagram.

Abstract: Embodiments are provided for securing source routing using public key based digital signature. If a protected source route is tampered with, a public key based method allows a downstream node to detect the tampering. The method is based on using digital signatures to protect the integrity of source routes. When creating a source route for a traffic flow, a designated network component computes a digital signature and adds the digital signature to the packets. When the packets are received at a node on the route, the node uses the digital signature and a public key to verify the source route and determines accordingly whether the source route has been tampered with. If tampering is detected, the receiving node stops the forwarding of the packets.

Abstract: An apparatus including a service network and a plurality of Layer 2 sites connected by the service network via a plurality of gateways is provided. The gateways are configured to map a plurality of Internet Protocol (IP) addresses of a plurality of hosts under a plurality of virtual local area networks (VLANs) in a plurality of Layer 2 sites to a plurality of addresses (e.g., MAC or others) of the corresponding other gateways, inform the other gateways in other Layer 2 sites of the IP addresses mapped under each of the VLANs in the local Layer 2 sites, and forward data frames originated from the hosts in the local Layer 2 sites to the other gateways in the other Layer 2 sites when destinations of the data frames are residing in the other Layer 2 sites.

Abstract: An apparatus comprising a service network, and a plurality of Layer 2 sites connected by the service network via a plurality of gateways, wherein the gateways are configured to map a plurality of Internet Protocol (IP) addresses of a plurality of hosts under a plurality of virtual local area networks (VLANs) in a plurality of Layer 2 sites to a plurality of addresses (e.g. MAC or others) of the corresponding gateways inform the other gateways in the other Layer 2 sites of the mapped IP addresses under each of the VLANs in the local Layer 2 sites, and forward data frames originated from the hosts in the local Layer 2 sites to the other gateways in the other Layer 2 sites when the data frames' destinations are residing in the other Layer 2 sites.

Abstract: Forwarding state is installed for sparse multicast trees in a link state protocol controlled Ethernet network by enabling intermediate nodes to install state for one or more physical multicast trees, each of which may have multiple logical multicast trees mapped to it. By mapping multiple logical multicasts to a particular physical multicast, and installing state for the physical multicast, fewer FIB entries are required to implement the multiple multicasts. Mapping may be performed by destination nodes before advertising membership in the physical multicast, or may be performed by the intermediate nodes before installing state when a destination node advertises membership in a logical multicast. Intermediate nodes will install state for the physical multicast tree if they are on a shortest path between a source and at least one destination of one of the logical multicasts that has been mapped to the physical multicast.

Abstract: A network component comprising a receiver configured to receive an outgoing frame from a local host, a logic circuit configured to map a destination address (DA) for a target host in the outgoing frame to a DA for a target location of the target host and encapsulate the outgoing frame using the DA for the target location, and a transmitter configured to receive a pre-encapsulated outgoing frame from a local switch, and send the pre-encapsulated outgoing frame to a gateway at a target location, wherein the transmitter does not encapsulate frames received from local switches and decapsulates an incoming frame from a remote gateway destined towards local hosts.

Abstract: A network component comprising a receiver configured to receive an outgoing frame from a local host, a logic circuit configured to map a destination address (DA) for a target host in the outgoing frame to a DA for a target location of the target host and encapsulate the outgoing frame using the DA for the target location, and a transmitter configured to receive a pre-encapsulated outgoing frame from a local switch, and send the pre-encapsulated outgoing frame to a gateway at a target location, wherein the transmitter does not encapsulate frames received from local switches and decapsulates an incoming frame from a remote gateway destined towards local hosts.

Abstract: Routes may be installed across multiple link state protocol controlled Ethernet network areas by causing ABBs to leak I-SID information advertised by BEBs in a L1 network area into an L2 network area. ABBs will only leak I-SIDs for BEBs where it is the closest ABB for that BEB. Where another ABB on the L2 network also leaks the same I-SID into the L2 network area from another L1 network area, the I-SID is of multi-area interest. ABBs will advertise I-SIDs that are common to the L1 and L2 networks back into their respective L1 network. Within each L1 and L2 network area, forwarding state will be installed between network elements advertising common interest in an ISID, so that multi-area paths may be created to span the L1/L2/L1 network areas. The L1/L2/L1 network structure may recurse an arbitrary number of times.

Abstract: Forwarding state may be installed for sparse multicast trees in a link state protocol controlled Ethernet network by enabling intermediate nodes to install state for one or more physical multicast trees, each of which may have multiple logical multicast trees mapped to it. By mapping multiple logical multicasts to a particular physical multicast, and installing state for the physical multicast, fewer FIB entries are required to implement the multiple multicasts to reduce the amount of forwarding state in forwarding tables at the intermediate nodes. Mapping may be performed by destination nodes before advertising membership in the physical multicast, or may be performed by the intermediate nodes before installing state when a destination node advertises membership in a logical multicast.

Abstract: A distributed hash table is implemented to store routing information on a network. Node IDs exchanged in connection with implementation of a link state routing protocol are used as keys in the distributed hash table, and routes are stored at one or more nodes on the network. When a route is learned, the route is processed against the set of keys to determine which nodes should store the route. When a route is needed, the route is processed against the set of keys to determine which nodes should have the route information. The manner in which the route is processed against the set of keys is the same in both instances, so that the DHT may be used to store and retrieve route information on the network. The DHT may be implemented to store MAC addresses, IP addresses, MPLS labels, or other information.

Abstract: A method and apparatus in provided which enables fast layer 2 reconfiguration in a network that includes Routing Bridges. Each Routing Bridge stores, for each forwarding target, identifiers of a primary next Rbridge and an alternate next Rbridge. The forwarding target may be a network end node, or an Egress Rbridge associated with the network end node. In response to a trigger condition, layer 2 communications are selectively switched from a path that includes the primary next Rbridge device to a path that includes the alternate next Rbridge device.