Abstract: A method for protecting data flows between pairs of branch nodes in a software-defined wide-area network (SD-WAN) is disclosed. In an embodiment, the method involves establishing secure connections between a SD-WAN controller and branch nodes in a plurality of branch nodes, wherein each branch node advertises a half-key to the SD-WAN controller via its secure connection, distributing advertised half-keys to branch nodes in the plurality of branch nodes via the established secure connections, wherein the advertised half-keys distributed to each branch node are the half-keys advertised by peer branch nodes of the branch node, and encrypting payloads for transmission from a first branch node in the plurality of branch nodes to a peer branch node in the plurality of branch nodes using a shared secret key, the shared secret key generated using the half-key of the first branch node and the distributed half-key of the peer branch node.

Abstract: A method for protecting data flows between pairs of branch nodes in a software-defined wide-area network (SD-WAN) is disclosed. In an embodiment, the method involves establishing secure connections between a SD-WAN controller and branch nodes in a plurality of branch nodes, wherein each branch node advertises a half-key to the SD-WAN controller via its secure connection, distributing advertised half-keys to branch nodes in the plurality of branch nodes via the established secure connections, wherein the advertised half-keys distributed to each branch node are the half-keys advertised by peer branch nodes of the branch node, and encrypting payloads for transmission from a first branch node in the plurality of branch nodes to a peer branch node in the plurality of branch nodes using a shared secret key, the shared secret key generated using the half-key of the first branch node and the distributed half-key of the peer branch node.

Abstract: In general, techniques for facilitating a distributed network (L3) subnet by which multiple independent control planes of network devices connected to physically separate L2 networks provide L2 reachability to/from a single L3 subnet. In some examples, a shared L2 network physically situated to connect a plurality of physically separate L2 networks “stitches” the L2 networks together within the respective, independent control planes of switches such that the control planes bridge L2 traffic for a single bridge domain for the separate L2 networks to the shared L2 network and visa-versa. Each of the independent control planes may be configured with a virtual IRB instance associated with the bridge domain and with a common network subnet. Each of the virtual IRBs provides a functionally similar routing interface for the single bridge domain for the separate L2 networks and allows the shared network subnet to be distributed among the independent control planes.

Abstract: A first provider edge (PE) device is configured to: receive a Label Distribution Protocol (LDP) MAC Flush message from a PE device via an input port; flush a routing table in response to the LDP MAC Flush message; determine whether the LDP MAC Flush message comprises a PE identifier corresponding to the PE device; generate a Topology Change Notification (TCN) message based on the LDP MAC Flush message when the LDP MAC Flush message comprises the PE identifier corresponding to the PE device; and output the TCN message.

Abstract: A provider edge bridge in a service provider network receives multiple media access control (MAC) Registration Protocol (MMRP) registration messages from customer networks via tunnels. The provider edge bridge snoops the MMRP registration messages to obtain multicast MAC addresses from the registration messages, and tunnels the MMRP registration messages toward one or more other bridges. The provider edge bridge constructs multicast forwarding tables based on the multicast addresses obtained from snooping the MMRP registrations, and uses the multicast forwarding tables for forwarding data units from the provider edge bridge towards destinations.

Abstract: In general, techniques are described for synchronizing gateway layer two (L2) addresses of routers that cooperate to provide interconnectivity to multiple, separate L2 networks. In one example, a router includes a VPLS module that establishes a VPLS instance to provide L2 connectivity between a local L2 network for the router and a remote L2 network for the router, wherein the router is addressable by a gateway L2 address. A synchronization module receives a gateway L2 address synchronization message that includes an additional gateway L2 address for an additional router. An integrated routing and bridging (IRB) interface of the router receives a L2 PDU from the local L2 network on an attachment circuit for the VPLS instance attached to the interface card, and a forwarding unit routes a layer three (L3) packet carried by the PDU when the PDU has an L2 destination address that matches the additional gateway L2 address.

Abstract: In general, techniques for facilitating a distributed network (L3) subnet by which multiple independent control planes of network devices connected to physically separate L2 networks provide L2 reachability to/from a single L3 subnet. In some examples, a shared L2 network physically situated to connect a plurality of physically separate L2 networks “stitches” the L2 networks together within the respective, independent control planes of switches such that the control planes bridge L2 traffic for a single bridge domain for the separate L2 networks to the shared L2 network and visa-versa. Each of the independent control planes may be configured with a virtual IRB instance associated with the bridge domain and with a common network subnet. Each of the virtual IRBs provides a functionally similar routing interface for the single bridge domain for the separate L2 networks and allows the shared network subnet to be distributed among the independent control planes.

Abstract: A first provider edge (PE) device is configured to: receive a Label Distribution Protocol (LDP) MAC Flush message from a PE device via an input port; flush a routing table in response to the LDP MAC Flush message; determine whether the LDP MAC Flush message comprises a PE identifier corresponding to the PE device; generate a Topology Change Notification (TCN) message based on the LDP MAC Flush message when the LDP MAC Flush message comprises the PE identifier corresponding to the PE device; and output the TCN message.

Abstract: A first provider edge (PE) device is configured to: receive a Label Distribution Protocol (LDP) MAC Flush message from a PE device via an input port; flush a routing table in response to the LDP MAC Flush message; determine whether the LDP MAC Flush message comprises a PE identifier corresponding to the PE device; generate a Topology Change Notification (TCN) message based on the LDP MAC Flush message when the LDP MAC Flush message comprises the PE identifier corresponding to the PE device; and output the TCN message.

Abstract: Techniques are described for forwarding packets in a VPLS using multi-homing PE routers configured in an “active-active” link topology. A router includes a control unit that forms a customer-facing multi-chassis link aggregation group (LAG) to include a plurality of active access links that couple the router and a second router to a multi-homed customer site associated with the VPLS domain. The control unit also forms a core-facing multi-chassis LAG within the VPLS domain to include a plurality of pseudowires that connect the router and other member routers of the core-facing LAG to a common remote router of the VPLS domain. The router receives layer two (L2) packets from the multi-homed customer site on one or more of the active access links and forwards the L2 packets to the remote router over one or more of the pseudowires using the core-facing multi-chassis LAG.

Abstract: In general, techniques are described for using a light-weight protocol to synchronize layer two (L2) addresses that identify routable traffic to multiple L3 devices, such as PE routers, that cooperatively employ an active-active redundancy configuration using a multi-chassis LAG to provide an L2 network with redundant connectivity. In one example, a network device establishes a multi-chassis LAG with a peer network device to provide redundant connectivity to a layer three (L3) network. A synchronization module of the network device receives a synchronization message that specifies an L2 address of the peer network device. When the network device receives an L2 packet data unit (PDU) from the L2 network, a routing instance of the network device routes an L3 packet encapsulated therein when the PDU has an L2 destination address that matches the L2 address of the peer network device.

Abstract: A provider edge bridge in a service provider network receives multiple media access control (MAC) Registration Protocol (MMRP) registration messages from customer networks via tunnels. The provider edge bridge snoops the MMRP registration messages to obtain multicast MAC addresses from the registration messages, and tunnels the MMRP registration messages toward one or more other bridges. The provider edge bridge constructs multicast forwarding tables based on the multicast addresses obtained from snooping the MMRP registrations, and uses the multicast forwarding tables for forwarding data units from the provider edge bridge towards destinations.

Abstract: Methods, apparatus, and products for routing frames in a network using bridge identifiers, wherein the network includes a plurality of bridge nodes. At least one of the bridge nodes operates as an ingress bridge node through which frames are received into the network. At least one of the bridge nodes operates as an egress bridge node through which frames are transmitted out of the network. One of the bridge nodes receives, from the ingress bridge node, a frame for transmission to a destination node. The destination node connects to the network through the egress bridge node. The frame includes an ingress bridge identifier and an egress bridge identifier. The bridge that received the frame then routes the frame to the egress bridge node through which the destination node connects to the network in dependence upon the ingress bridge identifier and the egress bridge identifier included in the frame.

Abstract: In general, techniques are described for enhanced learning in layer two (L2) networks. A first network device of the intermediate network comprising a control unit and an interface may implement these techniques. The control unit executes a loop-prevention protocol (LPP) that determines a bridge identifier associated with a second network device of the intermediate network, where the first and second network devices each couple to a first network. The LPP selects the second network device as a root bridge and detects a topology change that splits the first network into sub-networks. The interface then outputs a message to direct remaining network devices of the intermediate network to clear L2 address information learned when forwarding L2 communications. The message includes the bridge identifier determined by the loop-prevention protocol as the root bridge and directs these remaining network devices to clear only the L2 addresses learned from this bridge identifier.

Abstract: A provider edge bridge in a service provider network receives multiple media access control (MAC) Registration Protocol (MMRP) registration messages from customer networks via tunnels. The provider edge bridge snoops the MMRP registration messages to obtain multicast MAC addresses from the registration messages, and tunnels the MMRP registration messages toward one or more other bridges. The provider edge bridge constructs multicast forwarding tables based on the multicast addresses obtained from snooping the MMRP registrations, and uses the multicast forwarding tables for forwarding data units from the provider edge bridge towards destinations.

Abstract: A device includes one or more network interfaces to receive layer two (L2) communications from an L2 network having a plurality of L2 devices; and a control unit to forward the L2 communications in accordance with forwarding information defining a plurality of flooding next hops. Each of the flooding next hops stored by the control unit specifies a set of the L2 devices within the L2 network to which to forward L2 communications in accordance with a plurality of trees, where each of the trees has a different one of the plurality of L2 devices as a root node. The control unit of the device computes a corresponding one of flooding next hops for each of the trees using only a subset of the trees without computing all of the trees having all of the different L2 network devices as root nodes.

Abstract: Methods, apparatus, and products for routing frames in a shortest path computer network for a multi-homed legacy bridge, wherein the network includes a plurality of bridges. At least two of the plurality of bridges operate as edge bridges through which the frames ingress and egress the network. A first edge bridge identifies a legacy bridge nickname for a legacy bridge connected to the network through the first edge bridge and a second edge bridge using active-active link aggregation. The first bridge receives a frame from the legacy bridge and determines, in dependence upon the frame's destination node address, an egress bridge nickname for a third bridge through which a destination node connects to the network. The first bridge then adds the legacy bridge nickname and the egress bridge nickname to the frame and routes the frame to the third bridge in dependence upon the egress bridge nickname.

Abstract: A provider edge bridge in a service provider network receives multiple media access control (MAC) Registration Protocol (MMRP) registration messages from customer networks via tunnels. The provider edge bridge snoops the MMRP registration messages to obtain multicast MAC addresses from the registration messages, and tunnels the MMRP registration messages toward one or more other bridges. The provider edge bridge constructs multicast forwarding tables based on the multicast addresses obtained from snooping the MMRP registrations, and uses the multicast forwarding tables for forwarding data units from the provider edge bridge towards destinations.

Abstract: Methods, apparatus, and products for routing frames in a shortest path computer network for a multi-homed legacy bridge, wherein the network includes a plurality of bridges. At least two of the plurality of bridges operate as edge bridges through which the frames ingress and egress the network. A first edge bridge identifies a legacy bridge nickname for a legacy bridge connected to the network through the first edge bridge and a second edge bridge using active-active link aggregation. The first bridge receives a frame from the legacy bridge and determines, in dependence upon the frame's destination node address, an egress bridge nickname for a third bridge through which a destination node connects to the network. The first bridge then adds the legacy bridge nickname and the egress bridge nickname to the frame and routes the frame to the third bridge in dependence upon the egress bridge nickname.

Abstract: Methods, apparatus, and products are disclosed for routing frames in a TRILL network using service VLAN identifiers by: receiving a frame from an ingress bridge node for transmission through the TRILL network to a destination node that connects to the TRILL network through an egress node, the received frame including a customer VLAN identifier, a service VLAN identifier uniquely assigned to the ingress bridge node, and a destination node address for the destination node, the received frame not having mac-in-mac encapsulation; adding, in dependence upon the service VLAN identifier and the destination node address, a TRILL header conforming to the TRILL protocol, the TRILL header including an ingress bridge nickname and an egress bridge nickname; and routing, to the egress bridge node through which the destination node connects to the network, the frame in dependence upon the ingress bridge nickname and the egress bridge nickname.