Abstract: In an embodiment, a method for providing automatic router assignment in a virtual environment involves receiving a gratuitous ARP packet and setting a default gateway MAC address to a sender hardware address of the received gratuitous ARP packet, wherein the sender hardware address of the received gratuitous ARP packet is a MAC address of a master virtual router elected from a plurality of virtual routers, wherein a virtual router in the plurality of virtual routers is configured to elect a master virtual router by receiving at least one priority value advertised by another virtual router in the plurality of virtual routers, comparing the at least one received priority value to a priority value local to the virtual router to determine which priority value is the highest, and electing the virtual router having the highest priority value as the master virtual router.

Abstract: In an embodiment, a method for providing automatic router assignment in a virtual environment involves receiving a gratuitous ARP packet and setting a default gateway MAC address to a sender hardware address of the received gratuitous ARP packet, wherein the sender hardware address of the received gratuitous ARP packet is a MAC address of a master virtual router elected from a plurality of virtual routers, wherein a virtual router in the plurality of virtual routers is configured to elect a master virtual router by receiving at least one priority value advertised by another virtual router in the plurality of virtual routers, comparing the at least one received priority value to a priority value local to the virtual router to determine which priority value is the highest, and electing the virtual router having the highest priority value as the master virtual router.

Abstract: In accordance with an embodiment of the invention, a method for routing connections in an SD-WAN is disclosed. The method involves receiving TURN server performance metrics via Border Gateway Protocol (BGP) and receiving network performance metrics from calculations made using Service Level Agreement (SLA) protocol data units (PDUs) for TURN servers in an SD-WAN, generating a score for at least one TURN server in the SD-WAN based on the received TURN server performance metrics and received network performance metrics for the at least one TURN server, selecting a TURN server based on the score generated for the at least one TURN server, and routing a connection over the selected TURN server.

Abstract: In an embodiment, a method for providing automatic router assignment in a virtual environment involves receiving a gratuitous ARP packet and setting a default gateway MAC address to a sender hardware address of the received gratuitous ARP packet, wherein the sender hardware address of the received gratuitous ARP packet is a MAC address of a master virtual router elected from a plurality of virtual routers, wherein a virtual router in the plurality of virtual routers is configured to elect a master virtual router by receiving at least one priority value advertised by another virtual router in the plurality of virtual routers, comparing the at least one received priority value to a priority value local to the virtual router to determine which priority value is the highest, and electing the virtual router having the highest priority value as the master virtual router.

Abstract: In an embodiment, a method for providing automatic router assignment in a virtual environment involves receiving a gratuitous ARP packet and setting a default gateway MAC address to a sender hardware address of the received gratuitous ARP packet, wherein the sender hardware address of the received gratuitous ARP packet is a MAC address of a master virtual router elected from a plurality of virtual routers, wherein a virtual router in the plurality of virtual routers is configured to elect a master virtual router by receiving at least one priority value advertised by another virtual router in the plurality of virtual routers, comparing the at least one received priority value to a priority value local to the virtual router to determine which priority value is the highest, and electing the virtual router having the highest priority value as the master virtual router.

Abstract: In accordance with an embodiment of the invention, a method for routing connections in an SD-WAN is disclosed. The method involves receiving TURN server performance metrics via Border Gateway Protocol (BGP) and receiving network performance metrics from calculations made using Service Level Agreement (SLA) protocol data units (PDUs) for TURN servers in an SD-WAN, generating a score for at least one TURN server in the SD-WAN based on the received TURN server performance metrics and received network performance metrics for the at least one TURN server, selecting a TURN server based on the score generated for the at least one TURN server, and routing a connection over the selected TURN server.

Abstract: A method for protecting data flows between pairs of branch nodes in a software-defined wide-area network (SD-WAN) is disclosed. In an embodiment, the method involves establishing secure connections between a SD-WAN controller and branch nodes in a plurality of branch nodes, wherein each branch node advertises a half-key to the SD-WAN controller via its secure connection, distributing advertised half-keys to branch nodes in the plurality of branch nodes via the established secure connections, wherein the advertised half-keys distributed to each branch node are the half-keys advertised by peer branch nodes of the branch node, and encrypting payloads for transmission from a first branch node in the plurality of branch nodes to a peer branch node in the plurality of branch nodes using a shared secret key, the shared secret key generated using the half-key of the first branch node and the distributed half-key of the peer branch node.

Abstract: A method for protecting data flows between pairs of branch nodes in a software-defined wide-area network (SD-WAN) is disclosed. In an embodiment, the method involves establishing secure connections between a SD-WAN controller and branch nodes in a plurality of branch nodes, wherein each branch node advertises a half-key to the SD-WAN controller via its secure connection, distributing advertised half-keys to branch nodes in the plurality of branch nodes via the established secure connections, wherein the advertised half-keys distributed to each branch node are the half-keys advertised by peer branch nodes of the branch node, and encrypting payloads for transmission from a first branch node in the plurality of branch nodes to a peer branch node in the plurality of branch nodes using a shared secret key, the shared secret key generated using the half-key of the first branch node and the distributed half-key of the peer branch node.

Abstract: Methods, apparatus, and products for routing frames in a shortest path computer network for a multi-homed legacy bridge, wherein the network includes a plurality of bridges. At least two of the plurality of bridges operate as edge bridges through which the frames ingress and egress the network. A first edge bridge identifies a legacy bridge nickname for a legacy bridge connected to the network through the first edge bridge and a second edge bridge using active-active link aggregation. The first bridge receives a frame from the legacy bridge and determines, in dependence upon the frame's destination node address, an egress bridge nickname for a third bridge through which a destination node connects to the network. The first bridge then adds the legacy bridge nickname and the egress bridge nickname to the frame and routes the frame to the third bridge in dependence upon the egress bridge nickname.

Abstract: Methods, apparatus, and products for routing frames in a shortest path computer network for a multi-homed legacy bridge, wherein the network includes a plurality of bridges. At least two of the plurality of bridges operate as edge bridges through which the frames ingress and egress the network. A first edge bridge identifies a legacy bridge nickname for a legacy bridge connected to the network through the first edge bridge and a second edge bridge using active-active link aggregation. The first bridge receives a frame from the legacy bridge and determines, in dependence upon the frame's destination node address, an egress bridge nickname for a third bridge through which a destination node connects to the network. The first bridge then adds the legacy bridge nickname and the egress bridge nickname to the frame and routes the frame to the third bridge in dependence upon the egress bridge nickname.

Abstract: Methods, apparatus, and products are disclosed for routing frames in a TRILL network using service VLAN identifiers by: receiving a frame from an ingress bridge node for transmission through the TRILL network to a destination node that connects to the TRILL network through an egress node, the received frame including a customer VLAN identifier, a service VLAN identifier uniquely assigned to the ingress bridge node, and a destination node address for the destination node, the received frame not having mac-in-mac encapsulation; adding, in dependence upon the service VLAN identifier and the destination node address, a TRILL header conforming to the TRILL protocol, the TRILL header including an ingress bridge nickname and an egress bridge nickname; and routing, to the egress bridge node through which the destination node connects to the network, the frame in dependence upon the ingress bridge nickname and the egress bridge nickname.

Abstract: Methods, apparatus, and products are disclosed for routing frames in a TRILL network using service VLAN identifiers by: receiving a frame from an ingress bridge node for transmission through the TRILL network to a destination node that connects to the TRILL network through an egress node, the received frame including a customer VLAN identifier, a service VLAN identifier uniquely assigned to the ingress bridge node, and a destination node address for the destination node, the received frame not having mac-in-mac encapsulation; adding, in dependence upon the service VLAN identifier and the destination node address, a TRILL header conforming to the TRILL protocol, the TRILL header including an ingress bridge nickname and an egress bridge nickname; and routing, to the egress bridge node through which the destination node connects to the network, the frame in dependence upon the ingress bridge nickname and the egress bridge nickname.

Abstract: An efficient mechanism for wire-tapping network traffic is disclosed. In one embodiment of the invention, a primary forwarding lookup process and a secondary forwarding lookup process are performed in parallel and independently of each other. The primary forwarding lookup process determines the output interface to which the packet is to be routed regardless of whether the packet is to be intercepted. The secondary forwarding lookup process determines whether the packet is to be intercepted and also determines the output interface to which a copy of the packet is to be routed. Because the lookup processes are performed independently and in parallel, normal packet forwarding can be performed at line rate or near line rate while the packets are intercepted.

Abstract: Synchronizing multiple instances of an FIB in a network node that has a distributed processing architecture involves associating sequence numbers with all of the FIB entries that are stored with each instance of the FIB and using the sequence numbers that are associated with the FIB entries to determine the most current FIB entry. In one embodiment, the sequence numbers are used to determine the most current FIB entry among two matching FIB entries that have matching information (i.e., matching destination IP addresses and masks). In another embodiment, the sequence numbers are used to identify a line card with the most current FIB entry.

Abstract: A concept of “Interface Class” is introduced. All logical interfaces that belong to an Interface Class are indistinguishable in hardware. Each Interface Class is associated with one or more packet forwarding rules, such as Access Control Lists (ACLs), Policy Routes, and Quality of Service (QoS). Each Interface Class is also assigned with a Class ID, which is a user-defined integer. When defined in terms of a Class ID, a logical interface (e.g., an L3 Interface) will inherit all the packet forwarding rules associated with the Class ID. In one embodiment, Class IDs and Interface IDs can be stored in the same hardware lookup table in association with data representative of their respective packet forwarding rules.

Abstract: Distributing forwarding information in a router that has a distributed processing architecture involves distributing the forwarding information from one instance of an operating system to another instance of an operating system in parallel using two different communications channels where one of the communications channels is characteristically reliable yet relatively slow and where the other one of the communications channels is characteristically unreliable yet relatively fast. The forwarding information that is distributed via the relatively fast communications channel can be used to rapidly update forwarding tables such as hardware forwarding tables while the forwarding information that is distributed via the reliable communications channel can be used to resolve errors that may occur during distribution via the relatively fast communications channel.

Abstract: Protection switching between primary and secondary paths in a packet-based network involves table entries that are pre-programmed with a primary path, a secondary path, and a value that identifies the primary path, referred to as a primary path identifier (PPI). When table entries are accessed to make forwarding decisions, the PPI is compared to a field that identifies that a particular path is down, referred to as a down path identifier (DPI). If the two fields match, (i.e., PPI=DPI), then the secondary path is selected instead of the primary path as the path on which the traffic should be forwarded.

Abstract: A network node maintains an inactive config file of unsuccessfully executed configuration commands. The network node maintains an active config file of active executed configuration commands. In response to a change of conditions that invalidates an active configuration command, the network node moves data from the active config file to the inactive config file. In response to a change of conditions, the network node re-executes inactive commands and moves data from the inactive config file to the active config file if an inactive configuration command is successfully re-executed.

Abstract: An efficient mechanism for wire-tapping network traffic is disclosed. In one embodiment of the invention, a primary forwarding lookup process and a secondary forwarding lookup process are performed in parallel and independently of each other. The primary forwarding lookup process determines the output interface to which the packet is to be routed regardless of whether the packet is to be intercepted. The secondary forwarding lookup process determines whether the packet is to be intercepted and also determines the output interface to which a copy of the packet is to be routed. Because the lookup processes are performed independently and in parallel, normal packet forwarding can be performed at line rate or near line rate while the packets are intercepted.

Abstract: Synchronizing multiple instances of an FIB in a network node that has a distributed processing architecture involves associating sequence numbers with all of the FIB entries that are stored with each instance of the FIB and using the sequence numbers that are associated with the FIB entries to determine the most current FIB entry. In one embodiment, the sequence numbers are used to determine the most current FIB entry among two matching FIB entries that have matching information (i.e., matching destination IP addresses and masks). In another embodiment, the sequence numbers are used to identify a line card with the most current FIB entry.