Abstract: Systems, methods, and non-transitory computer-readable storage media for implementing a policy enforcement proxy are disclosed. A data packet associated with a source endpoint group and a destination endpoint group is received at a network device. The network device performs a policy lookup based on the source endpoint group and the destination endpoint group. The network device determines that the policy is not available and in response, modifies the data packet and forwards it to a policy enforcement proxy.

Abstract: The subject technology addresses the need in the art for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology addresses the need in the art for extending multipathing to tenant multicast traffic in an IP overlay network, which enables the network to fully utilize available bandwidth for multicast traffic. In some examples, nodes in the overlay network may be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: Various examples of the present disclosure provide methods for unifying various types of end-point identifiers, such as IPv4 (e.g., Internet protocol version 4 represented by a VRF and an IPv4 address), IPv6 (e.g., Internet protocol version 6 represented by a VRF and an IPv6 address) and L2 (e.g., Layer-2 represented by a bridge domain (BD) and a media access control (MAC) address), by mapping end-point identifiers to a uniform space (e.g., a synthetic IPv4 address and a synthetic VRF) and allowing different forms of lookups to be uniformly handled. In some examples, a lookup database residing on a switch device can be sharded into a plurality of lookup table subsets, each of which resides on a different one of multiple switch chipsets (e.g., Tridents) in the switch device.

Abstract: A ternary content-addressable memory (TCAM) that is implemented based on other types of memory (e.g., SRAM) in conjunction with processing, including hashing functions. Such a H-TCAM may be used, for example, in implementation of routing equipment. A method of storing routing information on a network device, the routing information comprising a plurality of entries, each entry has a key value and a mask value, commences by identifying a plurality of groups, each group comprising a subset number of entries having a different common mask. The groups are identified by determining a subset number of entries that have a common mask value, meaning at least a portion of the mask value that is the same for all entries of the subset number of entries.

Abstract: Aspects of the subject disclosure provide methods for avoiding a packet bounce event in a virtual port channel (VPC). A method of the technology can include steps for detecting a link failure event (e.g., between a first network device and a destination node), and receiving a data packet addressed to the destination node. In some implementations, the method can additionally include steps for rewriting encapsulation information of the first data packet. Systems and computer-readable media are also provided.

Abstract: Certain features required for routing decisions are provided by hardware. For example, the router logic may be modified to provide multiple alternative paths for a link. In some implementations, hardware autonomously detects a link or port failure and routes on an alternate link without software intervention. In one approach, the router stores the alternate paths in the data plane. In some implementations, network devices are also configured for active loop avoidance and detection is implemented so that packets never loop due to multiple failures that occur close to each other.

Abstract: Aspects of the subject disclosure relate to methods for detecting a link failure between the first network device and a destination node, receiving a data packet addressed to the destination node, and rewriting encapsulation information of the first data packet. Subsequent to rewriting the encapsulation information of the first data packet, the first data packet is forwarded to a second network device (e.g., using updated address information in the packet header), wherein the second network device is paired with the first network device in the virtual port channel. In certain aspects, systems and computer readable media are also provided.

Abstract: In some implementations, network traffic can be routed along equal cost paths based on weights assigned to each path. For example, weighted equal cost multipath routing can be implemented by assigning weights to each equal cost path (e.g., uplink, next hop node) to a destination device. When the network device receives a packet, the network device can generate a key (e.g., a random value, a hash value based on packet data, a value between 0 and n, etc.). The key can be used to select an uplink or path upon which to forward the packet. A key can be generated for a packet flow or flowlet. Each flow can be associated with the same key so that each packet in a flow will be forwarded along the same path. Each flowlet can be forwarded along a different uplink.

Abstract: Disclosed herein are methods of forwarding packets on a network, such as a leaf-spine network having leaf devices and spine devices. The methods may include receiving a packet at an ingress leaf device, and determining based, at least in part, on a header of the packet whether the packet is to be transmitted to a spine device. The methods may further include ascertaining based, at least in part, on a header of the packet whether to perform encapsulation on the packet, encapsulating the packet according to a result of the ascertaining, and then transmitting the packet to a spine device according to a result of the determining. Also disclosed herein are network apparatuses which include a processor and a memory, at least one of the processor or the memory being configured to perform some or all of the foregoing described methods.

Abstract: The subject technology addresses the need in the art for directly measuring a maximum latency number with respect to a percentile of network traffic, which a network operator may utilize as an performance indication or metric. Given a traffic percentile, a tracking algorithm in accordance with embodiments described herein may be implemented in hardware and/or software to determine a maximum latency for this specific percentile of traffic.

Abstract: In some implementations, network traffic can be routed along equal cost paths based on weights assigned to each path. For example, weighted equal cost multipath routing can be implemented by assigning weights to each equal cost path (e.g., uplink, next hop node) to a destination device. When the network device receives a packet, the network device can generate a key (e.g., a random value, a hash value based on packet data, a value between 0 and n, etc.). The key can be used to select an uplink or path upon which to forward the packet. A key can be generated for a packet flow or flowlet. Each flow can be associated with the same key so that each packet in a flow will be forwarded along the same path. Each flowlet can be forwarded along a different uplink.

Abstract: Apparatus, systems and methods may be used to monitor data flows and to select and track particularly large data flows. A method of tracking data flows and identifying large-data (“elephant”) flows comprises extracting fields from a packet of data to construct a flow key, computing a hash value on the flow key to provide a hashed flow signature, entering and/or comparing the hashed flow signature with entries in a flow hash table. Each hash table entry includes a byte count for a respective flow. When the byte count for a flow exceeds a threshold value, the flow is added to a large-data flow (“elephant”) table and the flow is then tracked in the large-data flow table.

Abstract: Various embodiments of the present disclosure provide methods for randomly mapping entries in a suitable lookup table across multiple switch devices and/or multiple switch chipsets in each of the multiple switch devices by using two or more independent hash functions. In some embodiments, the number of entries in the lookup table is equal to be the least common multiple of all possible M (i.e., a number of switch devices) choosing R values (i.e., a desired redundancy level).

Abstract: Systems, methods, and non-transitory computer-readable storage media for implementing a policy enforcement proxy are disclosed. A data packet associated with a source endpoint group and a destination endpoint group is received at a network device. The network device performs a policy lookup based on the source endpoint group and the destination endpoint group. The network device determines that the policy is not available and in response, modifies the data packet and forwards it to a policy enforcement proxy.

Abstract: A ternary content-addressable memory (TCAM) that is implemented based on other types of memory (e.g., SRAM) in conjunction with processing, including hashing functions. Such a H-TCAM may be used, for example, in implementation of routing equipment. A method of storing routing information on a network device, the routing information comprising a plurality of entries, each entry has a key value and a mask value, commences by identifying a plurality of groups, each group comprising a subset number of entries having a different common mask. The groups are identified by determining a subset number of entries that have a common mask value, meaning at least a portion of the mask value that is the same for all entries of the subset number of entries.

Abstract: Systems, methods, and non-transitory computer-readable storage media for translating source addresses in an overlay network. An access switch in an overlay network, such as a VXLAN, may receive an encapsulated packet from a tunnel endpoint in the overlay network. The encapsulated packet may originate from a host associated with the tunnel endpoint and be encapsulated at the tunnel endpoint with a first source tunnel endpoint address and a destination tunnel endpoint address. The access switch may replace the first source tunnel endpoint address in the encapsulated packet with a second source tunnel endpoint address of the access switch to yield a translated packet. The access switch may then transmit the translated packet towards the destination tunnel endpoint address.

Abstract: The subject technology addresses the need in the art for improving utilization of network bandwidth in a multicast network environment. More specifically, the disclosed technology addresses the need in the art for extending multipathing to tenant multicast traffic in an IP overlay network, which enables the network to fully utilize available bandwidth for multicast traffic. In some examples, nodes in the overlay network may be connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network.

Abstract: Various examples of the present disclosure provide methods for unifying various types of end-point identifiers, such as IPv4 (e.g., Internet protocol version 4 represented by a VRF and an IPv4 address), IPv6 (e.g., Internet protocol version 6 represented by a VRF and an IPv6 address) and L2 (e.g., Layer-2 represented by a bridge domain (BD) and a media access control (MAC) address), by mapping end-point identifiers to a uniform space (e.g., a synthetic IPv4 address and a synthetic VRF) and allowing different forms of lookups to be uniformly handled. In some examples, a lookup database residing on a switch device can be sharded into a plurality of lookup table subsets, each of which resides on a different one of multiple switch chipsets (e.g., Tridents) in the switch device.

Abstract: Systems, methods, and non-transitory computer-readable storage media for managing routing information in overlay networks. A first tunnel endpoint in an overlay network may receive an encapsulated packet from a second tunnel endpoint. The encapsulated packet may have been encapsulated at the second tunnel endpoint based on another packet originating from a source host that is associated with the second tunnel endpoint. The encapsulated packet can include a source host address for the source host and a source tunnel endpoint address for the second tunnel endpoint. The first tunnel endpoint can then update a lookup table based on an association between the source host address and the source tunnel endpoint address.

Abstract: Aspects of the subject disclosure relate to methods for detecting a link failure between the first network device and a destination node, receiving a data packet addressed to the destination node, and rewriting encapsulation information of the first data packet. Subsequent to rewriting the encapsulation information of the first data packet, the first data packet is forwarded to a second network device (e.g., using updated address information in the packet header), wherein the second network device is paired with the first network device in the virtual port channel. In certain aspects, systems and computer readable media are also provided.